Common Questions
Schools have always had to find that the tricky balance between ensuring student autonomy and dignity (both of which are necessary for learning) and surveilling and monitoring students (both of which are necessary to keep students safe and assess what they’ve learned). New technology and cheap data storage have certainly altered the educational landscape, but the underlying tension between privacy and monitoring in schools has not changed. Student and child privacy laws at the federal level work to address this tension by ensuring that
- information about a student is used fairly
- information about a student is used only for its intended purpose and not for unwanted or unanticipated purposes
- students are not coerced into divulging personal information
- students are not exposed to deceptive messages
In recent years, as more and more information is created and shared digitally, and data breaches and identity theft have become a bigger concern, state laws have been passed to regulate what information schools can collect and share online and what website and online application operators can do with it.
Student Privacy Laws
FERPA: The primary federal law that protects student privacy is the Family Educational Rights and Privacy Act (FERPA), which was passed in 1974. The main goals of FERPA are to ensure that information about a student is used fairly by providing annual notice to parents about their rights toward student data, namely
- the right to inspect and review records maintained by the school
- the right to seek to amend records they believe are misleading, inaccurate, or otherwise in violation of a student’s privacy
- the right to consent disclose records to other individuals
- the right to file complaints with the Department of Education if they believe their rights under FERPA have been violated
Furthermore, FERPA ensures that information about a student is only used for its intended purpose by requiring that disclosures of student data only occur with written consent. FERPA includes several exceptions to this rule that allow the school to share information without consent in specific cases that benefit students, provided that certain guardrails are in place.
PPRA: The Protection of Pupils Rights Amendment (PPRA) is a law that ensures that students are not coerced into divulging certain personal information. This is done by giving annual notice to parents of surveys the school will be giving and giving parents the right to inspect and review the materials. Depending on the funding source of the survey, parents will be given the ability to either opt in to participation or opt out.
COPPA: The Children’s Online Privacy Protection Act (COPPA) is a law that regulates websites and online applications that collect information from children to ensure that they are not following deceptive practices. In general, these operators are required to provide notice and gather verifiable parental consent before collecting information from a child. Under the law, schools are allowed to provide consent in the place of a parent, provided that the website or online application only uses the information collected for educational purposes.
IDEA: The Individuals with Disabilities Education Act (IDEA) ensures that students with disabilities are given an appropriate education that is tailored for their needs. Since this requires collecting very sensitive personal information, the law specifies some additional privacy protections to ensure that this information is not used for other purposes.
CIPA: The Children’s Internet Protection Act (CIPA) is a law that provides federal funding to schools that monitor and filter internet content and requires that schools teach students about digital citizenship and staying safe online. Though it is not directly a privacy law, it hits on many aspects of privacy since schools will have to determine the appropriate amount of monitoring and filtering as well as cover protecting personal privacy as part of the digital citizenship curriculum.
NSLA: The National School Lunch Act (NSLA) is a law that governs school lunch programs, and it includes provisions related to protecting financial data submitted as part of free and reduced lunch applications. Aside from being able to share a student’s eligibility status for free or reduced lunch in limited cases and for auditing the management of the program, the information from these applications can only be shared with parental consent.
Between 2013 and 2018, 40 states passed 125 laws that relate to student privacy. In general, these have coincided with states moving to online statewide testing (which has increased the quantity of data created and shared) and as states have built integrated data systems that combine data from multiple state agencies. Some common goals of these laws are
- building upon FERPA and PPRA by further restricting what student data a school can collect or share with others
- providing further requirements and guardrails related to student data shared with websites, online services, and applications
- designating a chief privacy officer and other individuals at the local level responsible for ensuring compliance with privacy laws
- requiring more transparency about what data schools collect and what it is used for
- requiring that schools and vendors meet certain data security standards
- requiring notification to parents in the event of a data security breach
Under FERPA, parents and eligible students are given four rights, namely
- the right to inspect and review records maintained by the school
- the right to seek to amend records they believe are misleading, inaccurate, or otherwise in violation of a student’s privacy
- the right to consent disclose records to other individuals
- the right to file complaints with the Department of Education if they believe their rights under FERPA have been violated
State laws may provide parents with additional rights, such as the right to sue an educational website for damages after a data breach.
Schools that receive funding from a program administered by the US Department of Education generally have to comply with federal student privacy laws even if they receive most of their other funding from private sources. For example, many private college and universities still have to follow laws like FERPA since they receive funds via the Federal Student Aid program.
Privacy and the Internet
Students may choose to share personal information online in ways that schools may not be able to protect. Students can take several steps to better protect their data online, beyond protections schools can provide. Students may choose to do any or all of the following:
- Know when you are public. When sharing information on forums or social media, check whether your post will be private or public. When you share information publicly, it is available for other to copy, share, or retain without your explicit permission. Make sure that when you are sharing information online, you understand that you may be sharing personal or sensitive information and that you have the choice on whether publicly posting or keeping such information private.
- Use privacy settings. When sharing information on certain sites or devices, such as a smart phone, you may have the option to choose how your data is collected or shared. For example, certain apps on your phone may track your location, which may be helpful in telling your parents where you are in an emergency, but may not be helpful when the app you are using is a video game that does not need your location to function. Remember that there are usually settings available to you to customize your privacy. If a website, social media site, or app does not give you privacy setting options, you may want to consider not using that site or app if you want to protect your information.
- Delete data. When you find yourself no longer using a site or app, you can choose to delete your account or data. Usually you are able to delete your account while logged in through settings or you can email the appropriate contact listed on the website or app and ask for deletion.
- Browse securely. When you browse the web, you may find that some websites are secure and others are not. One easy way of knowing whether you are on a secure site is making sure that the URL at the top of your browser includes the text “https://”, rather than “http://” at the beginning of the URL text. Seeing the text “https://” means that the website secures the exchange of information on the site so when you share information, it is safer.
- Update your passwords regularly. If you have accounts on websites or apps, make sure to use a password that is difficult to guess, such as including allowable numbers and symbols, and does not include any personal information. Additionally, try to change your password on your accounts on a regular basis, such as every three to six months or every year. This makes it more difficult for hackers to get into your account and know your personal information.
- Only communicate online with people you know offline. You may find that you will receive emails, messages, or follows from people you are not sure you know or from people who promise you something you want if you give them some information about yourself. Be careful with these types of communications. Often, these messages could be what is called “phishing,” where someone you don’t know is trying to trick you into giving them personal information in order to use it in a way you would not consent to. The easiest way to avoid this is to only communicate online with people you have already met offline and to report or delete any emails or messages from people you do not know.
- Clear your browser history and cookies. While terms like “browser history” and “cookies” might seem technically complicated, it is fairly easy to understand why it is important to clear them and how. When you browse the internet, websites may collect information about you by tracking what other websites you visit or what information you input into text boxes. While this could be useful to you by having your browser remember your passwords for quick and easy log-ins, websites may be tracking more than what you think by using cookies. If you want to protect your information, you may want to use your browser settings to clear your history and your cookies every so often. This may result in you having to type out your log-in information when signing back into websites you have an account with.
- Go incognito. Most browsers allow you to use a “private window,” which means that your browser will not keep data about your browser history or cookies. This makes it more difficult for websites to track you and your information.
- Ask a trusted adult. Especially if you are 13 years old or younger, it may be very helpful to speak to an adult you trust about your online use. Usually you can speak to your parents, a teacher, or a relative who may understand how to protect your privacy online or will have access to resources that can help both of you understand.
- Install antivirus software on your devices. Antivirus software helps protect your computer or other devices against attacks from hackers who may use computer viruses or other malware to gather your personal information and track your online behavior. You may want to discuss antivirus software options with a trusted adult before installing the software. There are various types of antivirus software, including ones that require payment and ones that are free. One thing to be careful about is to make sure that you are downloading a validated and well-known antivirus software, because some antivirus software you may find for free online are actually viruses themselves.
Children use various educational programs and e-games for both learning and fun. There are other rules that apply to children who access educational or non-educational web programs through personal computers, and through mobile apps on tablets and smartphones. Parents should be aware that data that is collected about their student, that is not a part of their educational record at school does not fall under the protection of FERPA.
GreatSchools has this video about keeping children safe online. The Federal Trade Commission, the government agency that enforces the Children’s Online Privacy Protection Act (COPPA), offers tips to parents about how to protect their children’s privacy online. Additionally, kidSAFE provides a quick one-pager on COPPA. More detailed information is available through the Center for Digital Democracy their COPPA parent guide, “The New Children’s Online Privacy Rules: What Parents Need to Know.” Moms with Apps has also provided a nice breakdown of 5 Things Moms Need to Know about Apps.
Some other resources for parents include the following:
- StaySafeOnline provides a number of key resources to help parents teach their children about good digital citizenship.
- 6 Reasons Why Parents Should Care About Kids and Online Privacy
- Common Sense Media’s Privacy and Internet Safety Webpage
- Family Online Safety Institute’s (FOSI) Good Digital Parenting Webpage
- FPF report on “Kids & The Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots.”
Educators routinely use new education apps in the classroom to help students learn. However, some of these apps can make student data vulnerable to hacks, advertisers, or other privacy harms. When you sign students up for an app, you might actually be violating FERPA! Read below for best practices.
Be familiar with your school’s policy or process for selecting new educational tools, if one exists. If an app or service you want to use is not on the “approved” list, ask for it to be vetted and ask how long the vetting process takes. If the process is lengthy, you will want to redesign your lesson or project plan. Once the app is approved, you can certainly use it later. The list may also contain similar alternative apps you can use in the meantime.
If no such vetting process exists in your school, the checklist at the bottom of this section can help you quickly evaluate whether your students’ information will be protected.
You can also look to sources like Common Sense Media or iKeepSafe to see if they have “rated” or “badged” an edtech product for privacy. You can also check the database of the Student Data Privacy Consortium to see which apps are being used by other districts. Note that none of these sites replace getting the app you want to use vetted by your school, they are just signals of which apps are more privacy friendly – make sure you check with them!
Some tools have already been vetted
If your school or district has an approved list of ed tech products, services, websites, or apps, check that the service you use is included and ensure you are aware of any requirements or privacy options. When schools and districts decide to adopt certain technology tools, they should evaluate those tools to ensure they meet data privacy requirements. Some examples include:
- Workflow and collaboration tools where students and teachers draft work together, give feedback, and communicate throughout the learning process.
- Learning Management Systems (LMS) where teachers post instructions, assignments, and links to resources for students and parents to access.
- Online gradebooks where teachers post grades and students and parents can access them using a username and password.
- Communication tools for emails or newsletters.
Schools are allowed to rely on technology companies to provide products and services, but have the responsibility to ensure that those vendors have appropriate protections in place for student data. The school must ensure that it retains direct control over the information the company collects, uses, and maintains. Schools are responsible for seeing that companies working with the school directly only use student information for authorized educational purposes. These companies have access to this data under the “school official” exception, for the limited purpose of using student information for educational purposes only.
As a teacher, you cannot officially endorse use of an outside product, but you can explain to the student the considerations they should take into account, including recommending the student let their parents know too. It’s quite common for students to find education apps on their own to use for projects, and educators should encourage students to be creative and take their suggestions seriously. This is a teachable moment—a great opportunity to talk with the student about data privacy and review that digital citizenship curriculum.
Here are some examples of questions you could use to start the conversation with your student:
- Did you have to make an account in order to start using that app? If so, did you have to provide personal information (email, name, age, etc.)?
- Does the app require parental permission? Who has access to your email and other information now that you’ve created that account?
- Does the app developer share your information with others? (It’s in their privacy policy.)
- Does the app collect additional information such as location or contacts?
In all likelihood, your student will not know the answers to some of these questions. That is OK, but it is important to explain to them that all of this information belongs to them. They should think about protecting it, and should be encouraged to discuss their choices at home with their parents as well.
Again, you can also suggest to them that they see if that tool is rated or badged on Common Sense Media, iKeepSafe, or in the database of the Student Data Privacy Consortium.
If you, the teacher, want to recommend an app that was not specifically designed for education, checking with your administration, complying with applicable school policies, and using the checklist in this guide just as you would for an education-specific app is still a best practice. It’s a common issue because there are many “consumer apps,” which are not designed for education, that students may wish to use for learning or to help them with their homework and projects. These may include research tools, note taking apps, collaboration tools or apps that allow users to make videos, record audio or create other media such as cartoons, images, and so on.
However, commercial products not designed and marketed for schools may not have the privacy policies and practices in place to ensure the protection of user data to the standards of laws that protect student information. Therefore, if not prohibited by school policy, these products should be carefully evaluated to see if their use will put student data at undesirable risk.
If a student approaches you and asks to use an app for your assignment that you’re not familiar with, it is a good idea to use the opportunity to talk to your student using the suggested questions above.
Again, harness that teachable moment.
- Does the product collect Personally Identifiable Information? FERPA, the federal privacy law applies to “education records” only, but many state laws cover ALL student personal information.
- Does the vendor commit not to further share student information other than as needed to provide the educational product or service? (such as third party cloud storage, or a subcontractor the vendor works with under contract.) The vendor should clearly promise never to sell data.
- Does the vendor create a profile of students, other than for the educational purposes specified? Vendors are not allowed to create a student profile for any reason outside of the authorized educational purpose.
- When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
- Does the product show advertisements to student users? Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web. TIP: Look for a triangle i symbol ( ) which is an industry label indicating that a site allows behaviorally targeted advertising. These are never acceptable for school use. This would be particularly important when evaluating non-education-specific sites or services.
- Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents in compliance with FERPA?
- Does the vendor promise that it provides appropriate security for the data it collects? TIP: A particularly secure product will specify that it uses encryption when it stores or transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.
- Does the vendor claim that it can change its privacy policy without notice at any time? This is a red flag—current FTC rules require that companies provide notice to users when their privacy policies change in a significant or “material” way, and get new consent for collection and use of their data.
- Does the vendor say that if the company is sold, all bets are off? The policy should state that any sale or merger will require the new company to adhere to the same protections.
- Do reviews or articles about the product or vendor raise any red flags that cause you concern?
Parents need to trust both schools and the service providers that work with schools. In an effort to ensure parents can be confident in how organizations use student data, the Future of Privacy Forum and the Software & Information Industry Association developed the Student Privacy Pledge in 2014. The Pledge is legally enforceable: by taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices.
Companies can apply to join the Pledge here.
Communication and Transparency
The Future of Privacy Forum surveyed parents in 2016 to better understand their views of technology use and student privacy. Overall, this survey showed the increasing prevalence of technology use by both parents and students, increasing levels of support by parents of the appropriate collection and use of data by schools, and continued strong belief in the possibilities of technology to improve their child’s educational opportunities. The goals for educators, advocates, and policymakers remain to communicate policies clearly; establish transparent practices; and work with parents as key partners in the educational system to achieve the best learning outcomes for our children. For more details, see this blog post.
Here are the seven most important questions that parents should ask about student privacy during the school year.
- Which websites, services, and apps will my child’s classroom use this year?
- How does my school handle directory information?
- What is my school’s approach to school safety, and what does it mean for my child’s privacy?
- Does my child’s school administer surveys?
- What are the rules for recording devices in my child’s school?
- How is my child’s information secured?
- How does the school train teachers and staff to protect student information?
For more detail about these questions, please see this blog post.
As schools collect more data on students, it is critical for them to be transparent about their data practices to foster trust with parents. Schools benefit when they are able to most clearly and effectively communicate the following to parents and guardians, beginning with broader descriptions and over time moving toward the sharing of more granular information:
- Legal requirements and restrictions
- Governance and accountability
- Types and uses of data
- Privacy and security practices
- Third-party data sharing
- Parent access and rights
A multi-layered approach is most effective, matching the content format with the message scale, complexity and timeliness. Schools should utilize the following channels to communicate:
- School websites and mobile applications
- Notifications
- Parent involvement
- Technology dashboard
- Tiered staff response
For more information, see this blog post.
Schools and Student Data
Schools hold a variety of information on students, including name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, and special needs. Schools, including teachers and school officials, use this data not just for basic administrative needs such as knowing whether a student may have a peanut allergy, but they also use this data to assess how well students are progressing, how effective teachers are, and how well schools are doing in relation to each other. Student data, in aggregated (averaged out) form, can help states make better policy decisions and plan budgets according to how to more effectively educate students. This video from Data Quality Campaign explains more.
For most of FERPA’s existence, the majority of data shared by a school occurred at the administrative level, so teachers generally received little to no training on data privacy laws or policies. In recent years, with more and more educational technology entering the classroom, teachers have become one of the primary sharers of student data. Consequently, it is more important than ever for teachers to be trained on what their legal obligations are and what best practices they should follow when sharing and securing student data.
Data governance addresses the processes and systems governing data quality, collection, management, and protection; basically, data governance includes formal policies that address the whole life cycle of data.
Good governance assures accuracy, timeliness, usability, and security in data. Governance plans should define roles and responsibilities when it comes to data access, disclosure, and use; ensure data management and monitoring; and describe and set up parameters on how data is collected, accessed, and used.
There are many great resources that K-12 school officials can use to create or improve their state, district, or school data governance plan. We recommend:
- Checklist for Developing School District Privacy Programs (PTAC)
- Data Governance Checklist (PTAC)
- Protecting Privacy in Connected Learning Toolkit for LEAs (CoSN)
- CoSN Trusted Learning Environment (TLE) Seal (CoSN)
- Roadmap to Safeguarding Student Data (DQC)
- Policymaking on Student Privacy: Lessons Learned
Also, see this video from the US Department of Education, which goes over starting a district privacy program
Security
If your password consists of a dictionary word and a number (or worse still, appears on the list of most common passwords), then a hacker could easily crack your password in under a few seconds. The most recent guidelines from the National Institute for Standards and Technology (NIST) focuses on length of passwords over complexity. To increase the length of your passwords, consider using passphrases instead, which consist of a short sentence or several random words put together. This blog post provides more detail on choosing a strong passphrase.
Furthermore, you could stop creating and remembering passwords all together and use a password manager to do both.
Securing data is a large part of ensuring student data protection. When storing student data, data should be stored following FERPA security principles. See more information below.
Without security, there can be no privacy. LEAs and SEAs have a responsibility to ensure that data is protected through adequate security. When contracting with educational technology vendors, school officials should make sure that these companies have privacy policies and practices that ensure data security.
Recommended Security Resources
- Data Security Checklist (PTAC)
- CoSN Cybersecurity Toolkit (CoSN)
See this video for more information about protecting security in the context of ed tech.
Privacy and New Technology
It is unclear how a lot of new technology fits within the existing privacy legal framework. Voice assistants, such as Google Home and Alexa, are no exception. In general, these tools are intended for home use and not for the classroom. With that said, we recommend that you do the following if you choose to use them in the classroom.
- Check with your school or district first since they may have policies regarding their use
- Educate yourself about your state and federal privacy laws using The Educator’s Guide to Student Data Privacy
- Get parent permission first before using the assistant in the classroom
- Once in the classroom, treat the voice assistant as if it were an outside classroom visitor
- Learn how to use the device’s privacy settings and proactively manage them
- Consider how and whether this device will enhance teaching and learning
See this blog post for more detail.
Our Audiences
Student Privacy Compass aims to provide a one-stop shop for education privacy-related resources to all stakeholders in the student privacy conversation: students, parents, educators and education agencies, the edtech industry, and policymakers struggling to grapple with the ever-changing student privacy legal landscape.