U.S. Department of Education Issues Guidance to Protect Student Privacy Online

by Holland & Knight LLP

  • Educational institutions face greater legal exposure given their increasing use of online educational services – and situations where they can both collect and disclose protected information. As a result, these institutions should be aware of a memo on student privacy laws issued recently by the Department of Education's Privacy Technical Assistance Center (PTAC).
  • The PTAC memo lays out best practices for protecting student information used in connection with online educational services and focuses on two federal laws: the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA). Full compliance still involves addressing local laws and each institution's circumstances, however.

Failure to comply with the various state and federal laws protecting student privacy can have serious consequences for educational institutions. Consequently, educators and administrators need to stay up to date on the best practices for effectively preventing and responding to the loss or misuse of personal information. Given the rapid evolution of education technology, and the ever-increasing amounts of information shared electronically, staying current is no easy task.

In response to these needs, the U.S. Department of Education established the Privacy Technical Assistance Center ("PTAC") to assist educational institutions, students and parents in understanding issues of information privacy, confidentiality and security practices relating to student information. On February 25, 2014, PTAC issued a guidance memorandum – Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices – to assist educators and school administrators in navigating certain laws relating to student privacy. The memo – which can be found here – also outlines best practices for protecting student information used in connection with online educational services.

Online Educational Services, FERPA and the PPRA

PTAC has recognized that schools increasingly use online educational services to fulfill their educational mission. Classrooms increasingly employ Internet resources, virtual classrooms, personalized websites and social media as educational tools. Many of these tools are not only accessible through classroom computer, but are now increasingly available on smart phones and tablets. The growing use of online educational services has created situations where, intentionally or not, schools collect and, in certain instances, disclose protected information. As a result, schools are facing greater legal exposure when they introduce new technologies.

PTAC's guidelines focuses primarily on two federal student privacy laws: the Family Educational Rights and Privacy Act ("FERPA") and the Protection of Pupil Rights Amendment ("PPRA").


FERPA defines a student’s education records as "records that are: (1) directly related to a student; and (2) maintained by an educational agency or institutions by a party acting for the agency or institution." FERPA further defines "personally identifiable information" as information that can identify a student, including but not limited to the student's name, family names, address of the student or family, a personal identifier for the student (for example, a social security number), date and place of birth, the student's mother's maiden name, or any other information that would allow a third person to identify the student. Given the broad definition included in FERPA, educational institutions should approach the prospect of disseminating information that relates to a student with caution.

FERPA contains exceptions that allow educational institutions to disclose Personally Identifiable Information about students under certain circumstances to third parties. The exceptions, however, may not be obvious, and disclosure of personally identifiable information should only be done after careful deliberation and with the appropriate safeguards in place to ensure that disclosure is lawful.


PPRA requires schools to directly notify parents of students who will participate in activities involving the collection, disclosure, or use of personal information from students for marketing purposes. It also requires schools to directly notify parents if information will be sold or otherwise provided to third parties for marketing purpose. PPRA applies to all K-12 schools that receive any federal funding from the Department of Education.

Potential Problems and Best Practices

Navigating FERPA, PPRA and other privacy laws and regulations can be challenging. The laws are complicated, fact-specific and can vary from state to state. To stay in compliance, schools should regularly review their policies and procedures to ensure that they are meeting the legal standards for security, confidentiality and integrity of student information.  

One issue of particular concern is the use of applications and resources provided by third party vendors. "Terms of Service" for these resources often allow third-party vendors to collect and disseminate information about their users. To the extent this includes student information, educational institutions must ensure that such collection and disclosure does not violate FERPA, PPRA or other privacy statutes.

Another issue is whether schools or districts are sufficiently transparent with parents and students about the information that is collected and their rights under FERPA, PPRA and other applicable standards. In addition to providing an annual notification required by law, schools and educational institutions are encouraged to have clear policies and procedures in place and make those policies and procedures readily available to students and parents to explain how data is collected, shared and secured. Educational institutions are also encouraged to have policies in place to deal with any data breach, including procedures to notify affected students and parents.

The Department of Education recommends the following "best practices" when assessing information collection and sharing:

  • Maintain awareness of relevant laws.
  • Be aware of which online educational services are currently being used in your district or school.
  • Have policies and procedures to evaluate and approve proposed online educational services.
  • When possible, use a written contract or legal agreement.
  • Know what the terms of service are for any third-party vendors and ensure that any data collection is consistent with applicable laws.
  • Be transparent with parents and students.
  • Obtain parental consent where necessary.

While the Department of Education guidance is welcome and helpful, it is limited. Educational institutions still need to address local laws and the unique circumstances of their operations. To ensure legal compliance, institutions are well advised to consult with legal counsel and include various stakeholders, including experienced information technology professionals, in the development of their data privacy policies.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP

Holland & Knight LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.