The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) has recently released requirements and best practices for protecting student privacy while utilizing only educational services. The PTAC is intended to be a resource for school districts regarding data privacy, confidentiality, and security practices related to the use of student data.
The PTAC notes that new technologies have allowed for the delivery of personalized educational content, virtual forums for interacting with other students and teachers, and a variety of other interactive technologies. These technologies, however, raise questions as to how to best protect student privacy during use, as well as the use of student data by third-party vendors.
With the increased concern by educational officials for protecting student information from third-party vendors, beyond the protections provided by the Family Educational Rights and Privacy Act (FERPA), the PTAC has issued seven recommendations for protecting student privacy when using online services.
1. Maintain awareness of other relevant federal, state, tribal, or local laws
FERPA and the Protection of Pupil Rights Amendment (PPRA) are not the only laws that protect student information. Other laws may apply to online educational services. In particular, the requirements of the Children’s Online Privacy and Protection Act (COPPA) may apply to the use of online educational services for children under the age of 13. COPPA applies to commercial websites and online services directed to children. Absent an exception, these sites must obtain verifiable parental consent prior to collection personal information from children.
2. Be aware of which online educational services are currently being used in your district
The PTAC recommends conducting an inventory of the online educational services being used within your school district. Having a master list of online services will assist school officials to ensure that the district is following best practices for protecting student information.
3. Have polices and procedures to evaluate and approve proposed online educational services
School districts should be clear with both teachers and administrators about how proposed online educational services can be approved, and who has the authority to enter into agreements with providers. This is true not only for formal contracts, but also for consumer “click-wrap” software that is acquired simply by clicking to “accept” to the provider’s terms of service.
It is particularly important that teachers and staff not bypass internal controls concerning acquisition when deciding to use free online educational services. The Department of Education recommends that free online educational services go through the same or similar approval process as paid educational services to ensure that they are not a risk to the privacy or security of student information.
4. When possible, use a written contract or legal agreement
Having a written contractor legal agreement assists school districts in maintaining the required “direct control” over the use and maintenance of student data. Even when student FERPA rights are not implicated, the Department recommends using written agreements.
These written agreements should include:
- Security and data stewardship provisions that make clear that whether the collected data belongs to the school district or the provider, and describes each parties responsibilities in the event of a data breach.
- Collection provisions that are specific about the information that the provider will collect.
- Data use, retention, disclosure and destruction provisions that define the specific purposes for which the provider may use student information and binds the provider to only approved uses. These provisions should specify with whom the provider may share student information. Data archival and destruction requirements should be included to ensure that student data is no longer on the provider’s system after the contract period is complete.
- Data access provisions that specify whether the school, district and/or parents will permitted access to the data and explain the process for obtaining access. This is especially important if the online provider will be creating new student information or education records.
- Modification, duration and termination provisions that clearly state how long the agreement will be in place, what are the procedures for modifying the agreement, and what are each parties responsibilities upon the termination of the agreement, with a particular focus on the disposition of student information that is maintained by the provider.
- Indemnification and warranty provisions that are specific about what a provider will do in order to comply with applicable federal and state laws, such as FERPA, and what the provider will do to remedy any violation of these requirements, including compensating the district for damages resulting from the violation.
5. Extra steps are necessary when accepting “click-wrap” licenses for consumer apps
Since school districts often cannot negotiate agreements with providers of consumer apps and are faced with accepting the provider’s terms of services (TOS) if they are to use the app. Accordingly, extra caution is warranted before using these apps:
- Check amendment provisions in the TOS to determine if the provider has retained the right to amend the TOS without notice. This is particularly important if the provider will have access to FERPA –protected information, as the ability to amend terms without notice can conflict with FERPA’s requirement to maintain “direct control” over the use and maintenance of information.
- Print out and save the TOS.
- Limit authority as to who may accept the TOS. School districts should develop policies specifying who and when individual teachers may download and use “click-wrap” software.
6. Be transparent with parents and students
Beyond the notification requirements of FERPA and PPRA, the Department recommends that school districts clearly explain on their websites how and with whom they share student data, including online educational services. Even when student information is not protected by FERPA, it is a suggested best practice to inform students and their parents of what information is being collected and how it will be used.
7. Consider that parental consent may be appropriate
Even when FERPA does not require parental consent, school districts should consider whether such consent is appropriate.
Given the increasing role of outside providers in providing educational services, and their access to student information, school districts are well advised to take the Department of Education’s recommendations into account when utilizing these services.