Resources for Service Providers

Protecting Student Privacy While Using Online Educational Services (U.S. Department of Education PTAC)

Student Data and De-Identification: Understanding De-Identification of Education Records and Related Requirements of FERPA: Guidance document prepared by the Future of Privacy Forum and Foresight Law + Policy provides an overview of the different tools used to de-identify data to various degrees, based on the type of information involved, and the determined risk of unintended disclosure of individual identity. Proper data de-identification requires technical knowledge and expertise as well as knowledge of, and adherence to, industry best practice.

Data de-identification represents one privacy protection strategy that should be in every student data holder’s playbook. Integrated with other robust privacy and security protections, appropriate de-identification – choosing the best de-identification technique based on a given data disclosure purpose and risk level – provides a pathway for protecting student privacy without compromising data’s value. This paper provides a high level introduction to: (1) education records de-identification techniques; and (2) explores the Family Educational Rights and Privacy Act’s (FERPA) application to de-identified education records. The paper also explores how advances in mathematical and statistical techniques, computational power, and Internet connectivity may be making de-identification of student data more challenging and thus raising potential questions about FERPA’s long-standing permissive structure for sharing non-personally identifiable information.


The Software and Information Industry Association has developed “best practice” principles for educational service providers and third party vendors.

Some states, cities, and large school districts have produced guidance for vendors. New York City Public Schools has fashioned a vendor’s guide to providing professional services for their schools. The Ohio Department of Education has made an Approved Vendor Assessment list available to the public.

CoSN has announced an intiative to bring together 13 school different school districts to develop best practices for digital media use in K-12 education.

The National Center for Education Statistics has put out a best practices brief focusing on Vendor Engagement Tips from the States, specifically related to the Statewide Longitudinal Data Systems Grant Program.


In addition to student privacy specific guidance, education service providers should be familiar with general privacy rules that are relevant when personal information is collected. When other sensitive information such as health data or financial data is collected or used additional regulatory requirements apply. If you collect, store, or use health or financial information please seek further advice from a legal professional.

If an education service provider submits an app to a major app store or includes social media plug-ins, they need to comply with the developer requirements of those platforms. The Future of Privacy Forum and the Center for Democracy and Technology have issued“Best Practices for Mobile App Developers.” The Federal Trade Commission and the California Attorney General’s Office have also offered guidance for mobile app developers. Additionally, specific guidance for app developers is available through each major app store, including Apple, Google Android, and Facebook.

Other general privacy guidance is available from the International Association of Privacy Professionals Resource Center. Also, the Future of Privacy Forum and other organizations such as the Center for Democracy and Technology, Electronic Privacy Information Center,World Privacy Forum, and the Electronic Frontier Foundation work on a variety of privacy issues and have available resources on their websites.