5 Tips for Protecting Student Data and Living Up to FERPA

Contributing Writer

How can ed-tech companies and K-12 school district technology leaders make sure they are compliant with federal data privacy laws? And just as importantly, what protections should schools and vendors be aware of that aren’t required by federal law?

Student privacy experts addressed these questions at a panel Monday at the International Society for Technology in Education’s annual conference in Chicago.

The panelists discussed the Family Educational Rights and Privacy Act (FERPA), which prohibits the disclosure of students’ protected information to a third party under most circumstances. The law includes an exception for those designated as “school officials.” In those instances, schools can share students’ data with third parties, including ed-tech companies, as long as the school retains “direct control” over the information and the vendor is using the data for a legitimate educational interest, as defined by the school.

Because the law mandates that companies follow school systems’ policies when it comes to approved uses of student data, requirements for FERPA compliance can vary from district to district, said Michael Hawes, the director of the Student Privacy Policy and Assistance Division at the U.S. Department of Education.

That means a vendor proclaiming that they’re “FERPA-compliant” on their website or promotional materials is essentially meaningless, he said.

“There is no such thing as a ‘FERPA seal of approval,'” Hawes said.

Student Privacy Pledge a ‘Good Start’

Then there’s the Student Privacy Pledge, a voluntary set of restrictions around student data that has been signed by more than 300 ed-tech companies.

Even if a vendor signs on to the pledge, districts still need to ensure that they’re FERPA-compliant, said Sara Kloek, the director of education policy at the Software and Information Industry Association.

Signing the pledge is “a good start,” she said, “but it doesn’t get into the specific state privacy laws, or even the individual practices of your particular district or school.”

When vendors make blanket statements of FERPA compliance, it’s an indication that they don’t understand what the law requires, said Bill Fitzgerald, a student privacy expert and a project director at InnovateEDU, a Brooklyn-based education equity nonprofit.

District should “hammer them on that, because that’s bad practice,” he said.

And even if they actually do comply with FERPA, the ed-tech apps that students are using could still put their privacy at risk, said Fitzgerald.

Conversations about student privacy tend to focus on personally identifiable information, which is “a pretty narrow spectrum of information,” Fitzgerald said. And while most of the privacy issues that surface aren’t the result of bad intent, they can still have consequences for kids, he said.

Kloek recommends that districts have detailed conversations with the vendors they’re hoping to work with, focusing on district-specific policies and the laws of their particular state.

Data-privacy Tips and Suggestions

The panel offered some suggestions for issues that should be raised in conversations between vendors and districts, as well as tips for districts developing their own privacy policies:

1. Be prepared to be held to high data-privacy standards. The Student Data Privacy Consortium, an alliance of districts across several states, has created a model contract that districts can use when evaluating products. They list the vendors that are members of the consortium on their website.

“If you want to work with a vendor that’s on that list, make the same demands,” Fitzgerald told educators.

Similarly, districts looking to partner with companies that also work in the European Union can ask that the vendors follow GDPR, recently-passed European legislation that gives individuals more control over and access to their data.

Ed-tech companies aren’t required to agree to these requests, but “it’s a good conversation to have,” said Fitzgerald, “because you’ll get a sense of how customer-centric their posture is and how privacy-centric their posture is.”

2. Understand ‘data sunsets’ and explain them. Companies will sometimes include their privacy policies information about when (or if) they will delete the data that they collect, Fitzgerald said.

Districts should check to make sure that the timeline is reasonable, taking into account the sensitivity of the data in question and how critical it is to the work of the vendor.

3. Be aware of district policies outlining who reviews products, and what they’re looking for. The district central office doesn’t have to be responsible for reviewing all products, said Hawes, but there should be a district-wide protocol for how to evaluate potential ed-tech tools. Hawes recommends that the staff who will be going through this process—a group that can include teachers—are using uniform criteria, he said.

4. Don’t attempt to side-step FERPA, and know the law. Many districts have tried to avoid addressing FERPA compliance by asking parents to give consent for apps and other services, said Hawes. Districts can do this for products that are optional, but for products that are required to participate in daily instruction, this isn’t a viable option, he said.

“Parents cannot be forced to waive their FERPA rights as a condition of receiving educational services for their children.”

5. Be transparent. When vendors and districts face pushback from parents about data collection, it’s often because they are secretive about their practices, said Hawes.

“In the absence of full information, people tend to assume the worst,” he said. If district leadership or an ed-tech vendor feels like they can’t justify their data collection practices, that’s a problem, said Hawes. “If parents would freak out about the list of data elements you’re collecting, then you need to think about why you’re collecting them.”

Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.


See also: 

Leave a Reply

Your email address will not be published. Required fields are marked *