Student Privacy Compass For LEAs
Local Education Agencies (LEAs) have the responsibility of ensuring school districts have sound data privacy practices in place. This means creating systems that ensure the safety of student data while allowing for effective instruction in schools. LEAs have the distinct role of educating school professionals on data privacy and security, which requires understanding how to best communicate the importance of student privacy and ensure that student data is collected, used, and stored in a responsible manner.
Schools, school systems, and anyone who has access to students’ personal information must do everything in their power to ensure that student information is protected and used to support students. LEAs should use these principles to build upon, not just comply with federal, state, and local laws. Some signatories include AASA: The School Superintendents Association; the National PTA; the Council of Chief State School Officers; and the National School Boards Association.
Communicating with Parents and Students
School officials should also explore better ways to communicate with parents and students about how student data is being used. While FERPA requires schools to provide an annual notification of parent’s and eligible student’s FERPA rights, this can occasionally be little more than a rote legal notice. Both parents and students are better served when they understand how data is used in schools, and school officials should consider ways to explain their technology, data, and privacy policies in a friendly manner.
Parents want to know how their child’s data is being collected, used, and protected, but may not have more than 10 minutes to search out answers. Districts should be able to answer questions about student data and communicate with all stakeholders involved effectively.
Be Able to Answer Parent Questions
Parents may come to you or their child’s teacher with questions. While some questions may require more investigation, you can prepare in advance for some of the most common parent questions, such as:
- What kind of data is collected about students?
- How is student data used?
- Who has access to data about my child?
- Who is in charge of privacy in our district?
- What apps are our district using?
- How does our district hold ed tech companies and other service providers accountable for maintaining the confidentiality of the student data they receive?
- Can parents access their child’s education records?
Create an FAQ handout (you can always adapt the one on pages 16-18 of this Student Data Privacy Communications Guide) and provide it to parents at least once annually. You could also print out or link to our Parents’ Guide to Student Data Privacy.
The first place many parents will go to find answers is their school or district’s website. It is vital to have accessible information on your website. This doesn’t have to be complex. A great example is the Chesterfield County Public Schools (see screenshot), which is extremely simple. It has links to:
- A list of what apps the district is using and the privacy policies for those apps (don’t know what apps your district is using? Find out! Take a survey, or use a product like LearnTrials or Catch On);
- The Privacy Policies & Guidelines for the district;
- Privacy FAQs; and
- A link to a Google form where parents can ask a quick question that gets automatically sent to the person in charge of privacy for that district.
- Chesterfield County Public Schools Privacy Page
- Fairfax County Privacy Page
- Ventura County e-Safety Committee Task Force
- Houston ISD Privacy Page (PDF)
- Denver Public Schools Student Data Privacy Page
- Wisconsin SEA Privacy Page
Don’t be afraid to take content from other SEAs and LEAs and link to other great resources.
There are many other great ways to communicate about privacy. Some districts have an annual meeting with students and their parents dedicated to privacy. Some devote annual time for students to learn about their privacy at school. Others put information about student privacy–like a monthly privacy tip–in their district’s monthly newsletter. Figure out how parents in your district can best be reached–by mobile phone, website, in person, etc.–and meet them where they are. Check out our favorite communications resource, the Foundation for Excellence in Education Student Data Privacy Communications Toolkit, for ideas and resources you can copy and paste.
- Transparency Best Practices (PTAC)
- Student Data Privacy Communications Toolkit (ExcelinEd)
- A Parents’ Guide to Student Data Privacy (National PTA, ConnectSafely, FPF)
- Data Quality Campaign
Have other communications suggestions or materials that other districts could use? Email them to us at [email protected].
Schools remain accountable for the security of their students’ information, even when it is managed by an outside vendor—thus, schools should be aware of the laws that guide the collection, use, and storage of data about students and children.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) also requires that schools give parents and students the opportunity to access information in their education records. Students and parents are allowed to review and potentially amend incorrect information within their education record. Procedures should be put in place to simplify this process.
A school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. There are a number of exceptions to this rule, which are laid out in the Department of Education’s FERPA Exceptions – Summary CHART.
|FERPA Directory Information|
|Date & Place of Birth|
|Major/Field of Study|
|Dates of Attendance|
|Participation in officially recognized activities & sports|
|Weight & height of athletes|
|Degrees, honors, & awards received|
|Most recent educational institution attended|
|Student ID, User ID, or other unique identifier (that cannot be used to access education records without a pin or password)|
- FERPA gives parents and students the right to opt out of having their “directory information” shared.
- FERPA allows schools to share student information among designated “school officials” with “legitimate educational interests.” Schools must define these terms, and inform parents who they consider a “school official” and what is deemed a “legitimate educational interest.” This process allows schools to partner with outside persons or entities to provide educational tools and services.
Aside from the two most common FERPA exceptions listed above, there are a number of other circumstances when prior consent is not required to disclose information about a student. The following are categories of people/organizations that may not need express student consent to gain access to certain information about students.
|Individual/Entity Seeking Information:||Type of information available without consent…|
|Parents||Of dependent post-secondary students||Generally – any student information|
|Of Non-Dependent Post-Secondary Students|
|Schools||In which the student intends to enroll|
|Financial Aid Offices||Facts relevant to determining a student’s eligibility, amount, or conditions surrounding receiving financial aid|
|Authorized Representative of Federal, State, and local Governments and Educational Authorities||Auditing, evaluating, or enforcing education programs|
|Organizations||Data used to conduct studies, predictive tests, administering student aid program, or improving instruction|
|Judicial or law enforcement authority||In compliance with an order or subpoena|
|Victims||Results of a disciplinary hearing of a crime of violence|
|Third Parties||Final results of a disciplinary hearing concerning a student who is an alleged perpetrator of a crime of violence and who was found to have committed a violation of the institution’s rules or policies|
|Community Notification Program||Information concerning a student required to register as a sex offender in the State|
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose….because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”
Protection of Pupil Rights Amendment (PPRA)
|PPRA Sensitive Information|
|Mental & Psychological Problems|
|Sex behavior & Attitudes|
|Date & Place of Birth|
|Illegal, anti-social, self-incriminating & demeaning behavior|
|Critical appraisals of other individuals|
|Legally recognized privileged or analogous relationships|
|Participation in officially recognized activities & sports|
State Laws and Regulations
Do you know if the state you are working in has a student privacy law? Just since 2013, over 100 new student privacy laws have passed in almost all states. Most of those laws impose new requirements on districts, states, and school service providers.
According to the National Center for Education Statistics, “data governance refers to the overall management of the availability, usability, integrity, quality, and security of data.” It is important for SEAs to know what data is collected, where it is collected, how it is stored, and more. Implementing a strong data governance plan “help[s] [LEAs] ensure that appropriate policies and procedures are in place to facilitate access to and use of student data while protecting student privacy.”
Good governance assures accuracy, timeliness, usability, and security in data. Governance plans should define roles and responsibilities when it comes to data access, disclosure, and use; ensure data management and monitoring; and describe and set up parameters on how data is collected, accessed, and used.*
There are many great resources that K-12 school officials can use to create or improve their state, district, or school data governance plan. We recommend:
- Checklist for Developing School District Privacy Programs (PTAC)
- Data Governance Checklist (PTAC)
- Protecting Privacy in Connected Learning Toolkit for LEAs (CoSN)
- CoSN Trusted Learning Environment (TLE) Seal (CoSN)
- Roadmap to Safeguarding Student Data (DQC)
- Policymaking on Student Privacy: Lessons Learned
Developing a Privacy Program for Your District (U.S. Department of Education PTAC)
*Definition from West Virginia Department of Education
Dealing with Service Providers
Most schools and districts partner with third parties to improve the ability of schools to use, analyze, store, and protect data. However, surveys have shown again and again that parents are very concerned about third parties having access to student data. Thankfully, many organizations have provided districts with resources that can help guide them as they share data with third parties.
Additionally, almost half of US states currently use model contracts when contracting with edtech vendors. Model contracts involve districts working together to create standard, education-contract language for use throughout the state. Model contracts are are a way for districts to minimize the time and money required to engage companies each year–some districts require more than 500 individual contracts. Education agencies should ensure that model contracts used effectively promote privacy and security requirements and are appropriate for the planned management and use of technology and student data.
Resources for Dealing with Service Providers
- Model Terms of Service: Protecting Student Privacy While Using Online Educational Services (PTAC)
- Security Questions to Ask of An Online Service Provider (CoSN Toolkit, page 13)
- Suggested Contract Terms (CoSN Toolkit, page 15)
- Protecting Student Privacy While Using Online Educational Services (PTAC)
- Seven Basic Security Checks for Evaluating Educational Platforms (FPF)
- Student Data Privacy Consortium Website (SDPC)
- Ed Tech Product Privacy Evaluations (Common Sense Media)
- Student Privacy Pledge
- Surveying Encryption Practices of Technology Used Within Schools (Common Sense Media)
Protecting Student Privacy While Using Online Educational Services (U.S. Department of Education PTAC)
Reviewing Edtech Products: Privacy, Safety, Security, and Contracts (iKeepSafe)
Is there a resource or model document for dealing with vendors that we should add? Email us at [email protected].
In order to adequately safeguard student privacy, privacy and security training are vital.
According to IBM’s “2014 Cyber Security Intelligence Index,” human error is a factor in 95% of all data security incidents. Many of those are avoidable mistakes that could be minimized with training, so that all staff are aware of the importance of not having an easy-to-guess password, know to double-check emails when sending attachments to ensure that the right data is sent, how to recognize whether an email has a potentially malicious link, and what to do if a device with sensitive information is lost.
It is important to ensure that anyone who handles data knows how to protect that data, but also has a more detailed understanding of how to use–or not use–that data.
New education technology has also caused privacy problems for districts and schools. For example, most people just press “yes” when they download an app to their tablet without reading the terms of service. However, when a teacher is the one downloading that app to his or her students’ tablets, it is vital that he or she know what information is collected by that app and how that information will be used, stored, and shared. Through training, teachers can learn to recognize these potential privacy hazards–or know when they need to talk to an administrator to see if a particular app is safe to use.
So what do teachers need to know, and what resources are available for training?
Generally, teachers don’t need to know the complexities of privacy laws or complicated data governance procedures. In order to avoid the most common data privacy and security incidents, they need to know:
- basic internet and computer safety procedures;
- how to use data to help students;
- the dangers of unintentional student data disclosure; and
- how to use apps safely.
More and more states, districts, and organizations are creating training resources that can be used by your district:
- Educator’s Guide to Student Privacy
- The Educators’ Section of Student Privacy Compass
- Wisconsin SEA Privacy Training Webpage (and free 15-minute training module!)
- iKeepSafe Privacy Courses for Teachers and Administrators (see the video playlist below)
- Ask Before You App video
Student Privacy For K-12 Educators and Administrators Playlist (iKeepSafe)
Do you have training resources we should feature or link to? Email them to [email protected].
Securing data is a large part of ensuring student data protection, and should be stored according to FERPA security principles. See more information below.
Without security, there can be no privacy. LEAs and SEAs have a responsibility to ensure that data is protected through adequate security. When contracting with educational technology vendors, school officials should make sure that these companies have privacy policies and practices that ensure data security.
However, vetting apps can be a monumental task.
Recommended Security Resources
Resources for LEAs
There are many great resources for LEA officials on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “LEAs” in the Resources sidebar.
- U.S. Department of Education Privacy Technical Assistance Center (PTAC)
- Data Quality Campaign
- Consortium for School Networking: Protecting Privacy
- Colorado Sample LEA Privacy and Security Policies
- Protecting Privacy in Connected Learning Toolkit for LEAs (CoSN)
- 2016 Forum Guide to Education Data Privacy (NCES)
- The Educator’s Guide to Student Privacy (FPF)
- Privacy and Student Data: An Overview of Federal Laws Impacting Student Information Collected Through Networked Technologies (Berkman Klein Center at Harvard)
- Student Privacy & Data Security: A State Education Agency Discussion Framework (CCSSO)
- California Data Privacy Guidebook (Fagen Friedman & Fulfrost LLP)
- FERPA 101 For Local Education Agencies
- FERPA 201: Data Sharing Under FERPA
- Online Course: Data Privacy? Get Schooled.’
How to Use Your District’s Website to Communicate with Parents About Data Use and Security (U.S. Department of Education PTAC)
The ABC’s of Student Directory Information (U.S. Department of Education PTAC)
Email and Student Privacy (U.S. Department of Education PTAC)
School Volunteers and FERPA (U.S. Department of Education PTAC)
Are we missing a resource you think should be included? Email us at [email protected].
- Student Data Privacy Consortium (SDPC)
This white paper by the Student Data Privacy Consortium (SDPC) and the Access 4 Learning Community (A4L) describes the challenges faced by schools and district…
This resource by CoSN provides cybersecurity considerations and best practices for districts, educators, parents, and students to protect themselves from COVID…
- Utah State Board of Education (USBE)
This video, published by the Utah State Board of Education (USBE), provides answers to FAQs about complying with FERPA while transitioning to virtual learning …