Controlling the privacy of students was a matter of locking records up back then. Now, in the digital classroom era, schools need increased data security to keep students’ data safe and maintain compliance with updated laws.
As a child moves through his education stages, from K-12 and on to college or a trade school, at each and every step that child and their family engage with technology.
Whether it’s a computer lab at the local elementary school, a homework assignment that must be submitted online, or a collaborative, cloud-based platform that enables teachers and parents to interact, the education environment is a technology environment.
After school, students are immersed in technology too. Many students have their own cell phones or, at least, access to a home or public computer. They text each other, post to their Instagram accounts, or tag along in popular online games, such as Fortnite or Minecraft to pass the time. The onset of the coronavirus also meant that much of a student’s daily life, from learning to socializing, has migrated online too.
With every keystroke done in school devices or through platforms monitored by them, children provide their schools, and other organizations with data that may or may not be protected by federal and state laws. Consequently, all data a student generates is bound to be at risk, from their behavior on a school’s online platform that might be inadvertently tracked by the vendor, to their educational records.
What Laws Protect These Students’ Data?
In the United States, three laws have been enacted to uphold student privacy and data security: the Family Education Rights & Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Children’s Internet Protection Act (CIPA). Each is administered by different branches of the federal government, and each seeks to police possible cyber dangers to minors. There are also many state-level laws, but for now, we’ll focus on the big three.
FERPA: Family Educational Rights and Privacy Act
What is it?
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that aims to protect the privacy of student education records, by giving parents certain rights to the records until the student becomes eligible to possess the right to their record.
To whom does it apply?
Because FERPA is a federal law, it applies to all educational institutions and agencies that receive federal funding from the US Department of Education.
What education records fall under FERPA?
As defined by the law, student education records refer to all records that directly relate to the student, as maintained by the school or educational agency. This includes records on children with disabilities who fall under Part B of the Individuals with Disabilities Education Act (IDEA).
Excluded from the definition are law enforcement unit records and other documents that may be kept by the school resource officer and other law enforcement authority.
When does the right transfer to the student?
The right transfers to the student when they reach the age of 18 or attend a school beyond the high school level. Students to whom the right has been transferred are called “eligible students”.
Who else may access the education record?
In general, the school must have the written permission of the parent or eligible student to release any part of the student’s information record. However, 34 CFR § 99.31 allows schools to disclose such records without requiring consent according to the following conditions:
- To comply with a court order or subpoena
- When requested by school officials with legitimate educational interest
- When requested by other schools where the student intend to transfer
- When required for financial aid, audit, or evaluation purposes
- For accreditation
- In case of health and safety emergency
- When requested by local and state authorities within a juvenile justice system and subject to specific State law
In addition, schools may disclose directory information such as the student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance, without requiring consent.
What other responsibilities do schools have with regard to FERPA?
- The school must inform the parents and eligible students of their rights under FERPA each year. The notification is left to the school’s discretion, and may be in the form of a student handbook inclusion, PTA bulletin, or other announcements.
- The school must also inform parents and eligible students about directory information, and provide a reasonable amount of time for them to request if they do not wish their directory information to be disclosed.
Where can I know more about FERPA?
The Department of Education maintains a site, “Protecting Student Privacy,” with information that explains what best practices every educational stakeholder — from students to parents, to teachers, vendors, and researchers — must adopt in order to manage student data while still maintaining student privacy.
The Dept. of Education’s FERPA Video “Student Privacy 101 is also good place to find out more about this law.
COPPA: Children’s Online Privacy Protection Act
What is it?
The Children’s Online Privacy Protection Act (COPPA) of 1998 falls under the jurisdiction of the Federal Trade Commission. Unlike FERPA, which focuses on student rights, COPPA regulates how website operators or online services can collect personal information from children under 13 years of age.
In a nutshell, COPPA these regulations include:
- Providing a notification and getting parental consent before collecting information
- Keeping such collected information secure and confidential
To whom does it apply?
COPPA applies to all online portals such as websites and applications that may be accessed by children below the age of 13. As such, these include sites and apps operated by educational institutions.
What obligations do schools have with regard to COPPA?
According to the FTC, schools can stand in for parental consent if the site or app is used solely for educational purposes, and for no other commercial purpose.
In addition, schools must practice due diligence when vetting products and services, and provide appropriate information to parents. These include the names of such sites or services, and their information and privacy practices.
Where can I know more about COPPA?
To learn more, take a look at the FTC’s guide, Protecting Children’s Privacy Under COPPA.
CIPA: Children’s Internet Protection Act
What is it?
The third big federal law protecting children is the Children’s Internet Protection Act (CIPA) of 2000, which is concerned with children’s access to the obscene or harmful parts of the Internet. It requires libraries and K-12 schools to use web filters and other measures to protect children.
To whom does it apply?
CIPA applies to all schools and libraries that participate in the FCC’s E-rate discount program where they receive discounts for Internet access or internal connections.
What obligations do these institutions have as part of CIPA?
With CIPA, schools and libraries must be able to prove that they have an Internet safety policy in order to obtain E-rate discounts. These protections must include either blocking or filtering online content that is considered obscene or harmful to minors. In order to demonstrate compliance, these schools and libraries must publicize their compliance policies and hold at least one public meeting.
In addition, schools must also have a provision to monitor the online activities of minors and, per the 2012 Protecting Children in the 21st Century Act, must educate these same minors on how to act online. Their education curriculum must encompass appropriate online interactions on social networking, in chat rooms, as well as cyberbullying and response.
Where can I know more about CIPA?
You can find out more about CIPA or apply for E-rate funding by contacting the Universal Service Administrative Company’s (USAC) Schools and Libraries Division (SLD)
Or, you can print out read this PDF: Children’s Internet Protection Act (CIPA)
Best Practices for Compliance with FERPA, COPPA, and CIPA
The shift to online classrooms and digital learning means that concerns about student privacy and data collection are more critical than ever. Here are some best practices to ensure your organization’s compliance.
Vet all learning tools
- Implement a policy for vetting educational technology tools. This allows both teachers and students to know what sites, apps and platforms are verified safe for learning.
- The Department of Education has a helpful checklist for evaluating educational technology products, vendors, and their Terms of Service.
- The DOE also encourages schools to tap both their IT resources and legal counsel when vetting tools for FERPA compliance.
Implement basic security measures
At the very least, schools should follow basic cybersecurity practices to safeguard data. These include:
- Identifying which assets are authorized and unauthorized
- Implementing role-based access, and review them periodically
- Using VPN when on unsecured connections
- Teaching cybersecurity practices such as using unique passwords, locking unattended devices, and being on-guard against phishing and malware attacks.
Be transparent about data collection
FERPA requires institutions to notify parents and eligible students of their rights each year. To make the process smoother, the DOE suggests that schools inform parents and students what data is being collected, and how it will be used, even if the information is not protected by FERPA or the two other privacy laws. Being transparent helps build trust in the school, the learning process, and the platforms that are used.
- A prominent link on the homepage
- A list of all parties that collect personal information, including third parties like social networking plugins or ad networks
- What personal information is being collected, and how it will be used
- A section on parental rights, including the right to refuse or to request a review or permanent deletion of any data collected.
Provide direct notice before collecting data
A direct notice of collection practices must be provided prior to collecting data. In addition, any change to the information practices should be posted and updated on the site.
Obtain verifiable consent before collecting or disclosing data
The FTC provides a list of acceptable methods, which include:
- Using a consent form
- Implementing knowledge-based challenge questions designed to be answered by parents
- Asking for a government issued ID that can be verified against a database, as long as the photo is deleted after verification is complete.
For more COPPA best practices, refer to the FTC’s 6 Step COPPA Compliance Plan.
The American Library Association has compiled some practical tips to help schools and libraries comply with CIPA:
Use physical (hard copy) and electronic signs to inform users that filtering software is used to comply with CIPA as a federally funded institution
Because filtering software can be imprecise, CIPA allows organizations to unblock sites that may have been erroneously blocked. Users can request websites to be unblocked provided they are legitimately useful for educational purposes.
For libraries, adult users age 17 and above can request to have the whole filter turned off, without having to explain why. The library should post signs notifying users of this option.
This patchwork of three laws administered respectively by the Department of Education, the Federal Communications Commission, and the Federal Trade Commission, seeks to monitor and protect students in schools and in the commercial marketplace.
Note that the best practices outlined above are only suggestions culled from authoritative organizations, and readers are encouraged to visit their respective sites to learn more. All educational shareholders, from the institution’s management stakeholders to the students and their parents would do well to familiarize themselves with these laws and make sure that they, or their schools, are in compliance.