Appendix I

“The Educator’s Guide to Student Data Privacy”

Retrieved and revised on August 1, 2020 from “The Educator’s Guide to Student Data Privacy” by Kelly Gallagher, Larry Magid, & Kobie Pruitt: https://studentprivacycompass.org/wp-content/uploads/2017/05/EduGuide_DataPrivacy_516.pdf

Please go the link for additional explanations and helpful information!

Why should classroom teachers care about student data privacy?

There are legal and ethical restrictions that impact districts, school, and teachers.

Traditionally, student data consisted of things like attendance, grades, discipline records, and health records. Access to that data used to be restricted to the administrator, guidance counselor, teacher, or other school official who needed it to serve the educational needs of the child. With the use of technology in schools, traditional data is now often shared with companies that provide Student Information Systems (SIS), Learning Management Systems (LMS), and many other technologies. Parents, students, and others have raised concerns about what information is being collected or shared, and what use those companies might make of that data.

Teachers should be aware of Family Educational Rights and Privacy Act (FERPA) and applicable state laws, along with their district or school policies regarding the use of educational products and services from ed tech vendors. (More on FERPA and other laws below)

What constitutes student data?

Information that is tied to individual students is referred to as personally identifiable information, or PII, and is subject to additional restrictions in laws and regulations.

Student personal information includes any information about a student’s identity, academics, medical conditions, or anything else that is collected, stored, and communicated by schools or technology vendors on behalf of schools that is particular to that individual student. This includes a student’s name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, special needs, and other information necessary for basic administration and instruction. It also includes the data created or generated by the student or teacher in the use of technology—email accounts, online bulletin boards, work performed with an educational program or app, anything that is by or about the individual student in the educational setting. Some student personal information such as social security number, is highly sensitive and collection may be barred by state law.

What is an education record?

The federal law, FERPA protects educational records that contain information directly related to an individual student and which are maintained by an educational agency or institution or by a party acting for the agency or institution. However, new state student privacy laws protect all “student personal information” and data that is now collected and used via modern educational technology products and services.

What if I want to use an education app or tool and I don’t know if my school/district has vetted it? NOTE: Do NOT use any technology with your students without your cooperating teacher’s knowledge and approval:

Be familiar with your school’s policy or process for selecting new educational tools, if one exists.

If an app or service you want to use is not on the “approved” list, ask for it to be vetted and ask how long the vetting process takes. If the process is lengthy, you will want to redesign your lesson or project plan. Once the app is approved, you can certainly use it later. The list may also contain similar alternative apps you can use in the meantime.

What are the federal and state laws that we need to follow?

FERPA – Information in a student’s education record is governed by the Family Educational Rights and Privacy Act, a federal law enacted in 1974 that guarantees that parents have access to their child’s education record and restricts who can access and use student information.

FERPA protects the access to and sharing of a student’s education record, which is all information directly related to a particular student as part of his or her education. FERPA gives parents specific rights to their child’s education records and when a child turns 18, the rights belong directly to him or her.

COPPA – The Children’s Online Privacy Protection Act (COPPA) controls what information is collected from young children by companies operating websites, games, and mobile applications directed toward children under 13.

COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13. Teachers and other school officials are authorized to provide this consent on behalf of parents for use of an educational program, but only for use in the educational context. This means the company can only collect personal information from students for the specified educational purpose, and for no other commercial purpose. Some schools have policies that require school administrator approval before teachers can allow use of certain apps or services. When information is collected with the consent of a school official, the company may keep the information only as long as necessary to achieve the educational purposes.

PPRA – The Protection of Pupil Rights Amendment (PPRA) outlines restrictions for the process when students might be asked for information as part of federally funded surveys or evaluations. In order to administer such surveys, schools must be able to show parents any of the survey materials used, and provide parents with choices for any surveys that deal with certain sensitive categories.

1. Does the product collect Personally Identifiable Information?
    FERPA, the federal privacy law applies to “education records” only, but many state laws cover ALL student personal information.
2. Does the vendor commit not to further share student information other than as needed to provide the educational product or service? (Such as third party cloud storage, or a subcontractor the vendor works with under contract.) The vendor should clearly promise never to sell data.
3. Does the vendor create a pro le of students, other than for the educational purposes specified? Vendors are not allowed to create a student pro le for any reason outside of the authorized educational purpose.
4. When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
5. Does the product show advertisements to student users?

Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web.

6. TIP: Look for a triangle symbol ( which is an industry label indicating that a site allows behaviorally targeted advertising). These are never acceptable for school use. This would be particularly important when evaluating non-education-specific sites or services.
7. Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents in compliance with FERPA?
8. Does the vendor promise that it pro- vides appropriate security for the data it collects?

TIP: A particularly secure product will specify that it uses encryption when it stores or transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.

9. Does the vendor claim that it can change its privacy policy without notice at any time? This is a red flag— current FTC rules require that companies provide notice to users when their privacy policies change in a significant or “material” way, and get new consent for collection and use of their data.
10. Does the vendor say that if the company is sold, all bets are off? The policy should state that any sale or merger will require the new company to adhere to the same protections.
11. Do reviews or articles about the product or vendor raise any red flags that cause you concern?