By Tim Groves
As schools and school districts increasingly turn to third-party vendors to assist with their growing data processing needs, controversies are surfacing on how personally identifiable student information is shared and protected.
The Family Educational Rights and Privacy Act of 1974 (FERPA) protects personally identifiable information (PII) from disclosure without parental or adult student consent. But rapid integration of online educational services and the incursion of “Big Data” into schoolhouses have raised several new issues.
For example, January 2012 amendments to FERPA have been criticized in some quarters as weakening the protection against disclosure of student records as the result of expanded exceptions to the consent requirement.
With so much change afoot, it makes sense for schools and districts to review their policies, especially regarding their respective annual notifications to students and parents of their rights under FERPA, as the U.S. Department of Education has advised schools and districts to pay close attention to how they define the terms “school official” and “legitimate educational interest” in the notifications.
The Department of Education’s Privacy Technical Assistance Center in February published a 14-page advisory – entitled “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices.” The advisory emphasizes the importance of defining these terms, because both are critical to delineating the scope of the “school official” exception under which many schools and districts have been disclosing PII to third-party service providers without prior parental/student consent.
The “school official” exception allows unconsented disclosure of PII to a service provider if the service provider: (1) is fulfilling a function that would otherwise be the responsibility of a school employee; (2) meets the criteria for being a “school official with a legitimate educational interest” as those terms are defined in the school/district’s annual notice of FERPA rights; (3) is under the direct control of the school/district with regard to the use and maintenance of education records; and (4) uses such records only for authorized purposes and does not re-disclose PII from education records to other parties (unless disclosure is specifically authorized by the school/district and is otherwise permitted by FERPA).
The term “school official” is not defined by statute or regulation, but the Department of Education has interpreted the term to include “professors; instructors; administrators; health staff; counselors; attorneys; clerical staff; trustees; members of committees and disciplinary boards; and a contractor, volunteer or other party to whom the school has outsourced institutional services or functions.”
A school official, including a qualifying service provider, generally has a legitimate educational interest “if the official needs to review an education record in order to fulfill his or her professional responsibility.”
In a report titled “Privacy and Cloud Computing in Public Schools,” the Fordham Center on Law and Information Policy reviewed cloud service agreements, notices to parents, and computer use policies for teachers from a sample of small, medium and large school districts in every geographic region of the country.
The report found that “95 percent of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.”
The report noted the following concerns among its key findings:
- Cloud services are poorly understood, non-transparent, and weakly governed.
- Only 25 percent of districts inform parents of their use of cloud services, and 20 percent of districts fail to have policies governing the use of online services. A sizeable plurality of districts has rampant gaps in contract documentation, including the absence of privacy policies.
- Districts frequently surrender control of student information when using cloud services. Fewer than 25 percent of the agreements specify the purpose for disclosing student information, and fewer than 7 percent of the contracts restrict the sale or marketing of student information by vendors. Many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to directly control student information when disclosing it to third-party service providers.
- An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information. Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA, PPRA (Protection of Pupil Rights Amendment) and COPPA (Children’s Online Privacy Protection Act), however, contain requirements related to parental notice, consent, and access to student information.
- School district cloud service agreements generally do not provide for data security, and with alarming frequency even allow vendors to retain student information in perpetuity. Yet, basic norms of information privacy require data security.
These findings raise significant red flags, and should provide sufficient motivation for schools and districts to review their data privacy and security policies as well as their contracts with online educational service providers.
Much has changed since FERPA was enacted in 1974. As technological advances generate more and more data, more and more opportunities for mining that data arise – for laudable educational purposes, but also for impermissible commercial purposes. As schools and districts outsource services that necessarily involve sharing PII, they must remain mindful of their responsibility to protect the privacy of student’s educational records.
Tim is an associate at Barton Gilman where he focuses on school law and civil litigation.