FERPA and Online Learning Tools: Protecting Student Data When Using Online Learning Applications
Posted on 09/01/2020 at 12:46 PM by Andrea Rastelli
As COVID-19 continues to impact all aspects of our daily lives, schools are having to make decisions about implementing online learning resources and applications.
These online learning resources not only allow teachers to hold classes through video conferencing but they also assist schools in maintaining social distancing guidelines. While implementing apps and new technologies could make schools more efficient, schools—especially those funded by Federal Funds—have to pay close attention to the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g).
The educational landscape in the United States has been evolving for years as new technologies have been implemented into the daily lives of students and teachers. Fifteen years ago, it was rare to hear about students even having laptops. Now, many students (some as young as 5 and 6) have access to tablets in their classrooms and teachers are incorporating their use in daily activities. With all of these new technologies joining the educational field, questions such as how student data is used and how to protect its use have been raised across the country. These questions are important and have become even more apparent now that most students will receive some aspect of their education through an online application. This blog post answers a few of the questions school officials may have as more technologies are implemented.
FERPA protects personally identifiable information (PII) that can be found in student records. Generally, FERPA applies to any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives funds from the United States Department of Education. 20 U.S.C. § 1232g. Under FERPA, “educational records” are records that are related to a student and are maintained by an educational agency, institution, or a party acting for the agency or institution. 34 CFR § 99.3. Further, FERPA defines “personally identifiable information” as including, but not limited to student’s name, name of the student’s parent, addresses, social security numbers, biometric data, student numbers, date of birth, place of birth, or any other information that is linkable to a student. 34 CFR § 99.3.
There are some technologies used by schools and students that are covered under FERPA and others that are not. For example, most of the time, school districts have a portal that parents and students can use to view their records or grades. These types of portals are generally covered under FERPA because parents and students have to input certain information that qualifies as PII. Conversely, technologies such as interactive games or videos that teachers often use to better engage students, which do not require the input of PII, are not covered under FERPA.
Disclosing PII to App or Software Providers
When engaging service providers, districts should pay special attention to contracts or “Terms of Use” with these companies. For certain programs, FERPA may apply and certain restrictions may need to be added to the Terms of Use Agreements before using them in the educational setting.
Generally, under FERPA, schools cannot disclose a student’s PII unless they obtain written consent from the parents of students over the age of 18. 20 U.S.C. § 1232g. However, two major exceptions to this general rule exist which allow schools to disclose PII without parental consent. In certain scenarios, the Directory Information and School Official Exception may allow schools or school districts to implement certain software more efficiently.
Directory Information
Under FERPA, there is a subset of educational records called “directory information.” This type of information is not covered by FERPA, which means no parental consent is required to disclose the information. However, if an educational institution wants to take advantage of this exception or designation, the institutions must provide a public notice to parents that contains: 1) what type of PII is designated as directory information; 2) the right to opt-out of or restrict directory information designations; and 3) the time parents have to exercise that right.
Directory information can include, “the student's name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.” 20 U.S.C. § 1232g.
There are many applications that schools are using to simplify the student drop off process or digitalize student directory information. Many of these applications will only ask for information that institutions may view as “directory information.” If this is the case, the institution would not need to not ask parents for consent to put directory information into the app. However, before institutions proceed with these types of apps, there are a few considerations to keep in mind.
First, does the school have a directory information notice and an opt-out process for parents? Second, did the school inform the parent of what information will be considered directory information? Third, does the school have records of the parents that have opted out of directory information record keeping? It is important to note, that to disclose PII under this category, districts must inform parents of the specific PII that they intend to classify as directory information and potentially disclose. Further, it is necessary to watch out for contracts that require school districts to make sure the information entered into the app is properly classified as directory information.
FERPA School Official Exception
Many apps and software used by school districts require the input of PII that is not classified as directory information. However, this is where the second exception, the “school official exception” comes into play. Under the school official exception, districts may disclose student PII to a provider without parental consent, so long as the provider: 1) performs a service that the district would otherwise have a school employee perform; 2) the institution directly controls the service provider concerning the use and maintenance of student PII; 3) the service provider has a legitimate educational interest in using the educational records; 4) the service provider is restricted in using the educational records only for the authorized purposes; and 5) the service provider may not re-disclose student PII to other parties unless specifically authorized.
If this exception can be applied to the district’s specific facts, consent from the parent is not required. However, the PII can only be used for the purposes authorized by the district or school in the contract with the provider. Note that FERPA still applies in this situation and the school district or school is still responsible for protecting that information.
It is always a good practice to make sure that the school or school district is always in control of the PII. All service agreements and contracts should clearly outline what the service provider can and cannot do with the student PII. Further, any modifications should be clearly communicated with the school or school district at all times, to ensure continued compliance with FERPA.
Metadata
Another question that many providers and schools have had to tackle lately is how FERPA applies to Metadata. Metadata is the underlining data that helps app developers better tailor software to each individual student’s needs. The answer to this question depends upon whether the metadata is connected to any identifiers that would link the data to the student. This is because FERPA applies only to information that can be used to identify a student. Accordingly, if the metadata is not connected to any identifiers that would link the data to the student, it is not protected under FERPA.
The converse is also true: if the metadata links the individual student to the data, the data is protected under FERPA. For example, if a student plays an interactive game that measures the speed at which the student reads, and the game then uses that measurement to create a report for the teachers and parents that tells them how fast the student is reading, this would be considered protected information by FERPA because the metadata measuring speed is directly connected to the student.
Conclusion
As schools continue to shift to online learning, understanding how providers will and can use student data is crucial for schools and school districts. Not only will this protect student data, but it will also protect schools and school districts if providers are hacked or data is misused. Navigating FERPA, how data is used by numerous providers, and what schools should watch out for in service agreements with providers is complex. Schools and school districts facing these issues should seek out guidance from attorneys that focus on privacy issues.
Categories: Andrea Rastelli, Cybersecurity Law, Education Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.