Confidentiality Issues in Online Educational Services: Guidance and Best Practices from U.S. Department of Education
With the increased use of technology by school districts to enhance student learning comes challenges with regard to student privacy and security practices. These challenges prompted the U.S. Department of Education to create the Privacy Technical Assistance Center (“PTAC”) as an informational resource to help educators, online educational service providers, and parents. On February 25, 2014, the PTAC published a document titled “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices,” which provides guidance on access to and protection of student information in connection with the use of online educational services. The “online educational services” addressed in the PTAC guidance include “computer software, mobile applications (apps), and web-based tools provided by a third-party to a school or district that students and/or their parents access via the Internet and use as part of a school activity.”
Since schools may use online educational services that require students and parents to log in and create personal accounts and that collect student data, the new PTAC guidance highlights the role that the Family Educational Rights and Privacy Act (“FERPA”) plays in protecting personally identifiable information (“PII”) about students in the context of such services. Under FERPA (as well as the parallel provisions of the Illinois School Student Records Act), the unauthorized disclosure of PII contained in student education records is prohibited and schools must obtain consent from parents (or eligible students) before disclosing PII, unless an exception to the consent requirement applies. In the case of online educational services, PTAC indicated that if students are not required to log in to access these services, no PII is disclosed and FERPA does not apply. Similarly, an online service provider’s collection of metadata (e.g., how long a student took to perform an online task, how many attempts were made, how long the student’s mouse was positioned over an item, etc.) that does not contain any “direct or indirect” student identifiers is not protected by FERPA. The new PTAC guidance encourages schools to determine whether the use of an online educational service requires the disclosure of a student’s FERPA-protected information on a case-by-case basis.
Although FERPA generally prohibits the disclosure of PII from a student’s education records without parent consent, there are several exceptions to this rule –two of which are noted in the PTAC guidance in relation to online educational services. “Directory information” (e.g., student name and address) may be disclosed if a school district establishes the specific elements or categories of directory information that it intends to disclose, publishes those elements or categories in a public notice, and gives parents and opportunity to opt out of such disclosures. The PTAC guidance also notes that information may be disclosed to or by online service providers under FERPA’s “school official exception,” which authorizes schools to disclose PII contained in education records if the provider (1) undertakes a function that school district employees would typically perform; (2) meets FERPA’s criteria for being a school official with “a legitimate educational interest” in students records as set forth in the district’s yearly notification of FERPA rights; (3) is under the “direct control” of the school district when it comes to storing and using the records; and (4) limits the use of records for educational purposes and refrains from re-disclosure unless specifically authorized or as permitted by FERPA.
Since FERPA sets the minimum requirements for privacy of PII in education records, the PTAC guidance urges school districts to adopt a “comprehensive approach to protecting student privacy.., including steps to ensure that any FERPA-protected information shared with an online service provider is not to be sold to third parties or used for any other purpose other than that of the original disclosure.” The PTAC guidance further notes that students’ privacy rights implicate privacy laws other than FERPA and cautions school districts that disclosure of information must comply with such other laws as well. In Illinois, this means that disclosures must also comply with the Illinois Student School Records Act and its implementing regulations.
The PTAC guidance concludes with a list of “best practices” for school district compliance with the laws governing disclosure of education records to and use by online educational service providers, including:
- Maintaining awareness of other relevant federal, state, or local laws in addition to FERPA;
- Being aware of which online educational services are currently in use in the district;
- Having policies and procedures in place to evaluate and approve online educational services;
- When possible, using written contracts or agreements when employing online educational service providers which contain terms requiring providers to comply with the laws governing access to, use of, and disclosure of students’ record information;
- Taking extra steps to protect student confidentiality before entering into any agreement with an online service provider using a of Click-Wrap application;
- Being transparent with parents and students; and
- Obtaining parental consent before sharing student information, even when it is not required by FERPA.
Compliance with all applicable student records and confidentiality laws is essential if educators plan to take full advantage of the new technologies designed to enhance student learning. If you have any questions concerning the new PTAC guidance or legal requirements governing online educational service usage, please contact one of our attorneys at our Flossmoor Office at 708-799-6766.