Educational institutions face greater legal exposure given their increasing use of online educational services – and situations where they can both collect and disclose protected information. As a result, these institutions should be aware of a memo on student privacy laws issued recently by the Department of Education's Privacy Technical Assistance Center (PTAC).
The PTAC memo lays out best practices for protecting student information used in connection with online educational services and focuses on two federal laws: the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA). Full compliance still involves addressing local laws and each institution's circumstances, however.
Failure to comply with the various state and federal laws protecting student privacy can have serious consequences for educational institutions. Consequently, educators and administrators need to stay up to date on the best practices for effectively preventing and responding to the loss or misuse of personal information. Given the rapid evolution of education technology, and the ever-increasing amounts of information shared electronically, staying current is no easy task.
In response to these needs, the U.S. Department of Education established the Privacy Technical Assistance Center ("PTAC") to assist educational institutions, students and parents in understanding issues of information privacy, confidentiality and security practices relating to student information. On February 25, 2014, PTAC issued a guidance memorandum – Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices – to assist educators and school administrators in navigating certain laws relating to student privacy. The memo – which can be found here – also outlines best practices for protecting student information used in connection with online educational services.
Online Educational Services, FERPA and the PPRA
PTAC has recognized that schools increasingly use online educational services to fulfill their educational mission. Classrooms increasingly employ Internet resources, virtual classrooms, personalized websites and social media as educational tools. Many of these tools are not only accessible through classroom computer, but are now increasingly available on smart phones and tablets. The growing use of online educational services has created situations where, intentionally or not, schools collect and, in certain instances, disclose protected information. As a result, schools are facing greater legal exposure when they introduce new technologies.
PTAC's guidelines focuses primarily on two federal student privacy laws: the Family Educational Rights and Privacy Act ("FERPA") and the Protection of Pupil Rights Amendment ("PPRA").
FERPA defines a student’s education records as "records that are: (1) directly related to a student; and (2) maintained by an educational agency or institutions by a party acting for the agency or institution." FERPA further defines "personally identifiable information" as information that can identify a student, including but not limited to the student's name, family names, address of the student or family, a personal identifier for the student (for example, a social security number), date and place of birth, the student's mother's maiden name, or any other information that would allow a third person to identify the student. Given the broad definition included in FERPA, educational institutions should approach the prospect of disseminating information that relates to a student with caution.
FERPA contains exceptions that allow educational institutions to disclose Personally Identifiable Information about students under certain circumstances to third parties. The exceptions, however, may not be obvious, and disclosure of personally identifiable information should only be done after careful deliberation and with the appropriate safeguards in place to ensure that disclosure is lawful.
PPRA requires schools to directly notify parents of students who will participate in activities involving the collection, disclosure, or use of personal information from students for marketing purposes. It also requires schools to directly notify parents if information will be sold or otherwise provided to third parties for marketing purpose. PPRA applies to all K-12 schools that receive any federal funding from the Department of Education.
Potential Problems and Best Practices
Navigating FERPA, PPRA and other privacy laws and regulations can be challenging. The laws are complicated, fact-specific and can vary from state to state. To stay in compliance, schools should regularly review their policies and procedures to ensure that they are meeting the legal standards for security, confidentiality and integrity of student information.
One issue of particular concern is the use of applications and resources provided by third party vendors. "Terms of Service" for these resources often allow third-party vendors to collect and disseminate information about their users. To the extent this includes student information, educational institutions must ensure that such collection and disclosure does not violate FERPA, PPRA or other privacy statutes.
Another issue is whether schools or districts are sufficiently transparent with parents and students about the information that is collected and their rights under FERPA, PPRA and other applicable standards. In addition to providing an annual notification required by law, schools and educational institutions are encouraged to have clear policies and procedures in place and make those policies and procedures readily available to students and parents to explain how data is collected, shared and secured. Educational institutions are also encouraged to have policies in place to deal with any data breach, including procedures to notify affected students and parents.
The Department of Education recommends the following "best practices" when assessing information collection and sharing:
Maintain awareness of relevant laws.
Be aware of which online educational services are currently being used in your district or school.
Have policies and procedures to evaluate and approve proposed online educational services.
When possible, use a written contract or legal agreement.
Know what the terms of service are for any third-party vendors and ensure that any data collection is consistent with applicable laws.
Be transparent with parents and students.
Obtain parental consent where necessary.
While the Department of Education guidance is welcome and helpful, it is limited. Educational institutions still need to address local laws and the unique circumstances of their operations. To ensure legal compliance, institutions are well advised to consult with legal counsel and include various stakeholders, including experienced information technology professionals, in the development of their data privacy policies.