Beyond FERPA: Five Tips For Protecting Student Data
How can district technology leaders make sure that their schools are compliant with federal data privacy laws? And just as importantly, what protections should schools be aware of that aren't required by federal law?
Student privacy experts addressed these questions at a panel Monday at the International Society for Technology in Education's annual conference in Chicago.
For daily dispatches from ISTE and ongoing coverage of ed-tech news and trends, sign up here for the Digital Directions newsletter.
The panelists discussed the Family Educational Rights and Privacy Act (FERPA), which prohibits the disclosure of students' protected information to a third party under most circumstances. The law includes an exception for those designated as "school officials." In those instances, schools can share students' data with third parties, including ed-tech companies, as long as the school retains "direct control" over the information and the vendor is using the data for a legitimate educational interest, as defined by the school.
That means a vendor proclaiming that they're "FERPA-compliant" on their website or promotional materials is meaningless, he said.
"There is no such thing as a 'FERPA seal of approval,'" Hawes said.
Student Privacy Pledge a 'Good Start'
Then there's the Student Privacy Pledge, a voluntary set of restrictions around student data that has been signed by more than 300 ed-tech companies.
Even if a vendor signs on to the pledge, districts still need to ensure that they're FERPA-compliant, said Sara Kloek, the director of education policy at the Software and Information Industry Association.
Signing the pledge is "a good start," she said, "but it doesn't get into the specific state privacy laws, or even the individual practices of your particular district or school."
When vendors make blanket statements of FERPA compliance, it's an indication that they don't understand what the law requires, said Bill Fitzgerald, a student privacy expert and a project director at InnovateEDU, a Brooklyn-based education equity nonprofit.
District should "hammer them on that, because that's bad practice," he said.
And even if they actually do comply with FERPA, the ed-tech apps that students are using could still put their privacy at risk, said Fitzgerald.
Conversations about student privacy tend to focus on personally identifiable information, which is "a pretty narrow spectrum of information," Fitzgerald said. And while most of the privacy issues that surface aren't the result of bad intent, they can still have consequences for kids, he said.
Kloek recommends that districts have detailed conversations with the vendors they're hoping to work with, focusing on district-specific policies and the laws of their particular state.
Data-privacy Tips and Suggestions
The panel offered some suggestions for issues to bring up in conversations with vendors, as well as tips for districts developing their own privacy policies:
1. Hold companies to high data-privacy standards. The Student Data Privacy Consortium, an alliance of districts across several states, has created a model contract that districts can use when evaluating products. They list the vendors that are members of the consortium on their website.
"If you want to work with a vendor that's on that list, make the same demands," Fitzgerald said.
Similarly, districts looking to partner with companies that also work in the European Union can ask that the vendors follow GDPR, recently-passed European legislation that gives individuals more control over and access to their data.
Ed-tech companies aren't required to agree to these requests, but "it's a good conversation to have," said Fitzgerald, "because you'll get a sense of how customer-centric their posture is and how privacy-centric their posture is."
2. Ask vendors about 'data sunsets.' Companies will sometimes include their privacy policies information about when (or if) they will delete the data that they collect, Fitzgerald said.
Districts should check to make sure that the timeline is reasonable, taking into account the sensitivity of the data in question and how critical it is to the work of the vendor.
3. Have a district policy outlining who reviews products, and what they're looking for. The district central office doesn't have to be responsible for reviewing all products, said Hawes, but there should be a district-wide protocol for how to evaluate potential ed-tech tools. Make sure that the staff who will be going through this process—a group that can include teachers—are using uniform criteria, he said.
4. Don't attempt to side-step FERPA. Many districts have tried to avoid addressing FERPA compliance by asking parents to give consent for apps and other services, said Hawes. Districts can do this for products that are optional, but for products that are required to participate in daily instruction, this isn't a viable option, he said.
"Parents cannot be forced to waive their FERPA rights as a condition of receiving educational services for their children."
5. Be transparent. When districts face pushback from parents about data collection, it's often because they are secretive about their practices, said Hawes.
"In the absence of full information, people tend to assume the worst," he said. If district leadership feels like they can't justify their data collection practices, that's a problem, said Hawes. "If parents would freak out about the list of data elements you're collecting, then you need to think about why you're collecting them."