Student Data Privacy Laws: What District & School Administrators Need to Know

In recent years, student data privacy has come under intense scrutiny (for very good reason). As technology usage increases in schools, education leaders are scrambling to understand, interpret, and comply with new federal, state, and local privacy laws designed to protect sensitive student information.

The federal student privacy laws that regulate privacy and protect sensitive data when schools issue devices or use educational software are best known as FERPA and COPPA. FERPA, or the Family Educational Rights and Privacy Act, protects the privacy of student education records. The Children’s Online Privacy Protection Act (COPPA) addresses the protection of data for children under the age of 13. Both laws focus on the ongoing and ever-evolving challenge of protecting student data privacy.

Educators, administrators, and parents should acquaint themselves with FERPA and COPPA, as both laws strive to protect sensitive student information. Below we’ll cover the following:

  • An overview of these two fundamental federal data privacy laws
  • Best practice recommendations from the agencies that oversee them
  • Solutions schools are turning to for compliance

 

What is FERPA?

As defined by the U.S. Department of Education, FERPA is federal legislation that allows parents the right to access their child’s education record, the right to have the education record amended, and the right to have some control over the disclosure of their child’s personally identifiable information (PII) from the education record. FERPA law applies to all educational institutions that receive federal funds.

Designed to protect personal privacy, FERPA regulations cover paper and computerized education records, directory information, and de-identified data. Education records are any materials (files, documents, etc.) that contain information directly relating to a student and are maintained by an educational agency or institution, or by a person acting on behalf of the agency/institution. Directory information is any information in the education record that is not considered to be harmful or an invasion of privacy if disclosed. And de-identified data is where all PII has been removed and a reasonable determination has been made that a student is not personally identifiable.

Under FERPA, parents have the right to inspect and review their child’s education records and  schools are expected to respond within 45 days of the information request. Schools are also generally prohibited from sharing student PII without written consent from the parent or guardian.

Understanding the nuances of FERPA and ensuring compliance with the law are important steps in protecting student data privacy. Even seemingly small mishandlings of information by employees can result in unintended exposures of personal information that infringe upon student privacy rights.

FERPA often gets the most attention when it comes to protecting sensitive student information, but COPPA takes privacy a step further, specifically addressing the protection of data for kids under 13.

What is COPPA?

Sometimes referred to as the Children’s Online Privacy Protection Rule, COPPA applies to online services, commercial websites and mobile applications that, knowingly or unknowingly, collect information from individuals under 13.  

Enforced by the Federal Trade Commission (FTC), COPPA prohibits unfair and/or deceptive practices in connection with the collection, use, and disclosure of personal information online from children under the age of 13.

The COPPA Rule spells out what operators of commercial websites and online services must do to protect the privacy and safety of children online, and imposes certain requirements on those individuals that have access to student information.

The Rule specifies what an operator needs to include in a privacy policy, what their responsibilities are to protect child privacy and safety online, and when they need to seek verifiable consent from a parent or guardian. The Rule also sets firm restrictions on marketing to children under 13.

What does COPPA mean for school districts?

It’s important to know that COPPA regulates companies, not schools. But in certain instances, schools may act as the parents’ agent in the consent process, so making sure that school and district leaders understand their role and how it applies under COPPA law is critical in ensuring the protection of student information.

According to the FTC, schools can grant consent on behalf of parents when the operator of a website, online service, or application is specific to “the educational context” and is providing a service that is “solely for the benefit of students and the school system”.

In other words, the school’s ability to consent for the parent is limited to whether the service is used for school purposes. If the service is used for anything other than educational purposes, the operator needs to obtain verifiable consent directly from parents. Targeted advertising, public and/or social profiles, and data sales are all examples of non-educational purposes requiring parental consent.

The FTC expects companies to publicly post a privacy policy that clearly describes what personal information is being collected, and calls for an explanation of how that information may be used. They further recommended that schools make such notices publicly available to parents.

Upon request from the school, operators must give parents the ability to review and/or delete their child’s personal information, and schools are responsible for ensuring that operators delete any personal information once it is no longer needed for its intended educational purpose.

For more information on schools and consent, please see COPPA FAQ, section M.4.

FERPA and COPPA Compliance Solutions for Schools:

Best practice recommendations for protecting sensitive student information

Protecting student data privacy requires careful and secure data handling to meet the requirements of FERPA and COPPA. The FTC and the U.S. Department of Education, the agencies that oversee these laws, recommend thorough review and consideration of third party technologies to ensure proper treatment of sensitive student information.

Reading the privacy policy and terms of use agreement for each online service provider is an important step in protecting student information. Understanding which third party technologies are currently in-use in the district, and determining which operators have access to sensitive student information are also necessary actions to proactively protect student data privacy.

Privacy recommendations for school and district administrators:

  • Have policies and procedures in place to evaluate and approve proposed online technologies.
  • Acquaint yourself with any applicable local, state and federal privacy regulations.
  • Know your rights and obligations under each respective law.
  • Conduct regular audits to determine which online technologies are in-use in your district.
  • Ascertain which service providers have access to student information.
  • Be transparent with parents and students.
  • Understand when parental consent is necessary.  

Questions to ask when determining whether an online technology is safe for use in the classroom:

  • Does the website or online service collect PII from individuals under 13?
  • Does the service provider have a privacy policy publicly posted and does it comply with COPPA?
  • Does the operator need to obtain verifiable consent before collecting personal information?
  • Are you able to act as the parents’ agent in the consent process?
  • Have you honored parental rights with respect to personal information collected from their kids?
  • Are there reasonable procedures in place to protect the privacy of student PII?

 

Solutions schools are turning to for compliance

Protecting student information online is an ongoing effort that takes time and thoughtful consideration. Guidance and resources are available to help online service providers and school district leaders better manage their privacy obligations under the law.

Individuals seeking guidance on either of these laws should consider the following actions:

  1. Reference the FTC COPPA FAQ and the USDOE FERPA FAQ pages to better understand the laws and how they apply in the school context.
  2. Seek out organizations like CoSN and FERPA|Sherpa for helpful resources that assist in navigating the murky waters of protecting sensitive student information.
  3. Consider exploring outside legal and/or professional help to manage your efforts and clarify any questions you may have.

Education Framework actively works to keep student data private, safe, and secure; helping school and district administrators better manage their privacy efforts.

Specializing in vetting online technologies for privacy, EdPrivacy (by Education Framework) is an expert K-12 student data privacy management solution that consistently scores the safety and security of online applications based on compliance with FERPA, COPPA, and other state and local privacy requirements.  

In short, EdPrivacy is a privacy scoring and management system that simplifies and streamlines the vetting process for schools.

EdPrivacy utilizes machine learning-based artificial intelligence to create privacy quality scores for thousands of online technology resources commonly used in classrooms across the nation. The scores help educators and administrators quickly identify safe online technologies and easily determine which service providers respect and protect student data privacy.

With EdPrivacy, school district leaders enjoy privacy peace of mind.

Benefits of EdPrivacy include:

  • Partner with trusted experts in school student data privacy.
  • Access a database of privacy scores for over 9,000 of the most-used online education resources.
  • Understand which education technologies respect and protect sensitive student information.
  • Instill parent confidence that the district is proactively protecting student information online.
  • Publish and maintain a list of safe-to-use technologies approved for use in the classroom.
  • Reduce risk of data breach and ensure compliance with FERPA, COPPA, and state privacy laws.