Student Data Privacy Guidance Issued

 The U.S. Department of Education recently issued guidelines for schools on the use, storage, and security of data generated by technology-related educational tools.  The guidelines are not binding federal regulations, but offer best practices for student privacy and security concerns.

Online educational tools often give student names, contact information, education performance records, and other FERPA protected information to third-party contractors. Additionally, online educational tools typically collect a large amount of transactional data, commonly referred to as “metadata”, which gives context to other data. Metadata may include information such as how long a student took to complete an online exercise; the number of attempts; and how long the student’s mouse hovered over an item (potentially indicating indecision).

Because FERPA may or may not protect metadata information, the Department acknowledged the issue was unresolved and concluded that metadata privacy issues must be addressed on a case-by-case basis. In light of the uncertainty, the Department reminded school officials that third-party contractors may access personally identifiable information without parent consent only if the contractor:

  1. performs an institutional service or function for which the district would otherwise use its own employees;
  2. has met the criteria set forth in the district’s annual notification of FERPA rights as a school official with a legitimate educational interest in the applicable education records;
  3. is under the direct control of the district concerning the use and maintenance of education records; and
  4. uses education records only for authorized purposes and does not re-disclose personally identifiable information to other parties (unless the provider has specific authorization from the school district to do so and is otherwise permitted to do so by FERPA).

To further assist districts in protecting student privacy in the digital age, the Department also suggested the following “best practices” when using online educational services:

  • Establish district-wide policies and procedures to evaluate online educational tools and vendor contracts for privacy and security.
  • Use a written agreement with a service provider that enables the district to maintain “direct control” over the use and maintenance of student data necessary for third-party contractors to be considered “school officials” under FERPA.
  • Exercise particular caution when accepting so-called “click-wrap” licenses for consumer software. Because click-wrap licenses are typically not negotiable contracts, an enforceable agreement may be created with the click of a mouse button. Unless school officials review the terms of the click-wrap agreement to determine whether a third party will have access to FERPA-protected information, a district may not be able to maintain “direct control” over the use and maintenance of that information as required by FERPA.
  • Consider the application of other privacy laws. The Children’s Online Privacy Protection Act (“COPPA”) requires most commercial online-learning operators to obtain parental consent prior to collecting data from certain children. COPPA also requires those operators to disclose what information is collected, how it will be used, and with whom it will be shared. A district may, in place of a child’s parents, grant consent to an online-learning operator to collect COPPA-protected information from students.
  • Be transparent with parents and students. Even if information is not protected by FERPA, COPPA, or other privacy laws, the Department suggests that districts notify students and their parents of what information is collected and how it will be used. The Department also recommends that districts develop technology education plans and solicit feedback from parents about the plan before its implementation.
  • Consider whether obtaining parental consent is appropriate even in instances where FERPA may not require it before using online educational technology.

The Department’s guidance recognizes the murky privacy implications of using online educational tools, acknowledging that nearly every FERPA issue must be addressed on a case-by-case basis. Nevertheless, the non-binding guidance contains useful tips and best practices to address student data privacy. We encourage clients to review the guidance document in full, which can be found athttp://ptac.ed.gov/, or on our website at www.thrunlaw.com/links under “Publications.”