Blog: Student Data Privacy Articles

Practical tips, best practices, and useful student data privacy resources.

What is PII?

What is PII? What Districts and Families Need to Know

New student data privacy laws are changing the landscape for school districts, educators, and parents. For themselves and for their students’ families, districts are faced with growing concerns about data privacy leading to the question—what is PII? Otherwise known as personally identifiable information. Once defined, districts need to know how to protect it.

PII is any data point that can be used to identify a specific individual. In K–12 schools, the most common pieces of student PII include:

  • Student’s full name
  • Date of birth
  • Social security number
  • Home address
  • Home telephone number

This information is usually stored in a school’s student information system (SIS). In many districts, the SIS is now linked to other programs in a network ecosystem where information is accessible through a single sign on (SSO)—eliminating the need for countless user names and passwords for log-in. SSO vendors, such as Classlink, act as a connector between the school’s SIS and other digital programs. Not only does the SSO allow users to log-in with just one user name and password to access approved programs on the network, but it means that teachers’ class rosters are automatically populated, or “rostered” by the SIS1.

With all digital programs linked together, network security becomes paramount in addition to ensuring that PII is protected. Unless applications or digital resources have been developed by the district itself, these digital programs are provided by third party vendors. These vendors are collecting user data—or student PII. There are federal and state privacy laws that limit what information vendors can collect, how long they can keep it, and what they can use it for. However, it falls to the school district to understand vendors’ privacy policies, negotiate terms, and monitor the vendors for continued compliance. 

District data breaches are more and more common, and student PII is being sold on the dark web. If this happens, it could take years for a student or her family to become aware that the information has been compromised and sold. In the meantime, debt and false records accrue in that student’s name or are tied to the student’s social security number. 

COPPA and FERPA Use Different Definitions of PII

The Children’s Online Privacy Protection Rule (COPPA) protects children under 13 and spells out exactly what online operators and third party vendors must do to protect children. 

Each of the following is considered personal information (PII) under COPPA:

  • Full name
  • Home or other physical address, including street name and city/town
  • Online contact information like an email address or other identifier that permits someone to contact a person directly—screen name, or user name where it functions as online contact information
  • Telephone number
  • Social security number
  • A persistent identifier that can be used to recognize a  user over time and across different sites, including a cookie number, an IP address, a processor or device serial number or unique device identifier
  • A photo, video, or audio file containing a child’s image or voice
  • Geolocation information sufficient to identify a street name and city/town
  • Other information about the child or parent that is collected from the child and is combined with one of these identifiers2.

The Family Educational Rights and Privacy Act (FERPA) considers to be any information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. Direct identifiers include a student’s or other family member’s name, and indirect identifiers, can be a student’s date of birth, place of birth, or mother’s maiden name3.

One thing that causes confusion is that persistent unique identifiers are considered PII under COPPA but not under FERPA. Schools are required to comply with both of these federal privacy laws, in addition to any state or local laws, but as a practical matter, school districts often adopt the more comprehensive COPPA definition of PII to ensure compliance.

As you can see, compliance with state and federal student data privacy laws is complicated. However, it is now a driving concern of school district administrators—and not just those in charge of technology. Understanding how to protect student privacy requires reading each vendor’s privacy policy and vetting the technologies for their level of security. Then, as privacy policies change frequently, districts need to monitor the policies over time to ensure they stay informed of any changes.

How EdPrivacy Provides Data Privacy Peace of Mind

EdPrivacy from Education Framework provides a K–12 privacy management solution that vets the security and safety of all online applications based on their compliance with FERPA, COPPA, and state privacy laws. EdPrivacy’s proprietary rating system provides student data privacy peace of mind as it allows users to see at a glance whether or not the apps they are using are in compliance with state and federal data privacy laws. If there are changes in the law, districts receive notification from EdPrivacy.

EdPrivacy has a searchable database of more than 10,000 vetted online applications, and expertise districts can rely on when it comes to FERPA, COPPA, and state data privacy requirements. With EdPrivacy, districts can review a privacy scorecard for any vendor and quickly determine the safety of the application. Further they can understand whether or not the district can grant consent on behalf of the parents for each individual online resource.  

For a free trial, visit here.


1EdPrivacy works with SSO programs, such as Classlink, G-Suite for Education, and Microsoft Office 365 for Education.
2 Retrieved from
3Retrieved from