Technological advances have dramatically changed the landscape of education. Where textbooks and photocopies were previously used to educate a classroom full of students, today’s education environment increasingly incorporates electronic tools to increase interaction between and among students and teachers. On-line educational services take many forms, including enabling students to access class assignments, to view their learning progression, to watch video demonstrations, to comment on class activities or to complete homework. While technology providers have demonstrated their value in transforming the educational system for the benefit of students, they also heighten awareness of student privacy concerns during their use.
The Family Educational Rights and Privacy Act (FERPA) protects personally identifiable information (PII) in students’ education records from unauthorized disclosure. In addition to FERPA, the Protection of Pupil Rights Amendment (PPRA) may also apply. While FERPA protects PII in the education records maintained by the school district, PPRA protects PII collected from the student. On-line educational services may involve FERPA protected data to open accounts for students, but then subsequent information gathered through the student’s interaction with the on-line educational service may implicate PPRA. Therefore, student information collected or maintained as part of an on-line educational service may be protected under FERPA, under PPRA or under both.
Clearly, the implications are far reaching when reconciling student privacy issues with the use of on-line educational services. While most districts have already implemented certain on-line educational services, it is important to develop best practices for protecting student privacy when using these services. The United States Department of Education (DOE) has developed recommended best practices which include the following:
- Be aware of all on-line educational services currently used in your district. It is strongly recommended that each district conduct an inventory of the on-line educational services currently used in that particular district which can then be used to determine the type of student information being shared with each provider.
- Implement policies and procedures to evaluate and approve proposed on-line educational services. It is important for school districts to be clear with both teachers and administrators about how proposed on-line educational services should be approved. This should apply not only to formal contracts, but also for consumer oriented free applications (Apps). It is important that teachers and staff not bypass internal controls when deciding to use free on-line educational services. The DOE recommends that free on-line educational services undergo the same approval process as paid educational services to assure that they do not present a risk to the privacy or security of student’s data or the district’s IT systems.
- Whenever possible, use a written contract for on-line educational services. Written contracts should include data security provisions; provisions for data use, retention, disclosure and destruction; clear understanding of the responsibilities of the parties with respect to student data upon termination of the agreement; and indemnification and warranty provisions to protect the district from the on-line provider’s improper disclosure of student data or information covered by FERPA or PPRA.
- Extra steps should be taken when accepting Apps. Extra caution is important when accepting free on-line Apps. Many such App agreements allow for an amendment without notice. This could be in violation of FERPA’s requirement to maintain “direct control” over the use and maintenance of student information. The App agreement should be printed and saved. School districts should develop policies that provide clear guidance to teachers and administrators for when they are permitted or prohibited from downloading and use App software.
- Be transparent with parents and teachers. The DOE encourages schools and districts to be as transparent as possible with parents and students about how the school district collects, shares, protects and uses student data. Sometimes this can be difficult with on-line educational services as it may be unclear what information is being collected while students are using the technology. The DOE recommends that school districts develop an education technology plan that addresses student privacy and information security issues. Feedback should be solicited from parents about the plan prior to its implementation or the adoption of new on-line education services.
- Consider that parental consent may be appropriate. The DOE recommends that even in instances where FERPA may not require parental consent, school districts should consider whether consent should still be obtained. Parental consent may be the best way to protect the school district’s interests in the use of the on-line educational services.
The recommended best practices from the U.S. Department of Education are an excellent starting point for a district to consider as on-line educational services become more and more prevalent in providing education in today’s technological world. They represent some practical steps and guidance that all school districts should take in order to balance student privacy concerns with the desire to benefit from the on-line educational resources. If your district has not already done so, steps should immediately be taken to implement the recommended best practices in order to protect your district from complaints of FERPA or PPRA violations.