The Educator's Guide to Student Privacy: How to Protect Student Data?
The notion of what counts as "student data" has changed drastically in the last few years.
While before student data referred mostly to the student's name, address, age, demographics, what course they've taken and their final grades, with the spread of information technology, including computers and mobile devices and the students themselves generating huge amounts of data, school officials now must pay more attention to protecting student privacy.
What is Student Data?
What constitutes student data?
Student data is any Personally Identifiable Information (PII), such as name, age, address, email address, phone number, health records, etc. of the student or student's parents or guardians that is gathered and stored for the purpose of educational institution they attend.
For example, according to this infographic by Data Quality Campaign, we can group student data into 6 types:
- Student's demographics:
- Economic Status
- Special Education Needs
- Student Actions:
- Class Attendance
- Program Participation
- Extracurricular Activities
- Testing Data:
- Interim Assessments
- Annual Assessments
- Academic Information:
- By Teachers:
- By Students:
- Learning Apps
As you can see student data includes a plethora of personal information about the student and therefore, educators must know how to protect it.
This is why we've created this educator's guide to student privacy.
How Does the Federal Law Protect Student Data Privacy?
With schools increasingly adopting information technologies, lawmakers today have much more responsibility than ever before to safeguard student privacy.
This is accomplished through three federal laws: FERPA, COPPA and CIPA. You can learn more about FERPA at Protecting Student Privacy, which is a website maintained by the U.S. Department of Education.
Family Educational Rights and Privacy Act (FERPA)
- What is FERPA?
Family Educational Rights and Privacy Act or FERPA is a federal law that grants parents certain rights to student records. Once the student reaches the eligible age (18) or they attend a school above high school level, those rights pass on to them.
What records fall under FERPA?
Student education records are all records that pertain to the student directly and are maintained and collected by the school or educational agency.
Who can access student education records?
Apart from the school itself, student data can be disclosed without acquiring the written consent from either the eligible student or their parents or guardians in the following cases:
- A court order or subpoena
- When requested by accrediting organizations
- When it is requested for evaluation purposes, audit or financial aid
- When requested by another school that the student wishes to transfer to
- When requested by school officials with educational interest
- In case of safety and health emergencies
Responsibilities of schools under FERPA
- An eligible student or their parents must be informed by the school of their rights under FERPA each year (until the student attends that school, that is)
- Eligible students or parents must also be informed by the school of any directory information and be given enough time to request that their directory information is not disclosed
Children's Online Privacy Protection Act (COPPA)
What is COPPA?
The Children's Online Privacy Protection Act or COPPA does not directly deal with student privacy rights, but instead regulates how companies operating websites can collect personal information from children under 13 years of age
What are the school's responsibilities under COPPA?
- The school must carefully examine and vet any online services, including mobile applications and websites, with which they intend to share student data and share this information with the parents, including the website name, address, privacy practices, etc.
- In addition, if the website or app is solely used for educational and not commercial purpose, the school can stand in the parent's stead for consent
Children's Internet Protection Act (CIPA)
What is CIPA?
The Children's Internet Protection Act or CIPA is a federal law that requires K-12 schools to use web filters and other measures to protect students from harmful content on the Internet.
What are the responsibilities of the school under CIPA?
- Under CIPA, an educational institution must have a plan to monitor student online activities according to the Federal Trade Commission's (FTC) Protection Children in the 21st Century Act
- The school must also educate students on how to act online and
- Provide evidence that they have an Internet safety policy
Here is what you can (reasonably) expect from email privacy laws in general.
Best Practices to Protect Student's Personal Information
An educational institution, such as a school, must follow certain rules and laws in order to process student data and protect student privacy.
These must be observed by everyone in the school system and include:
How is student data lawfully processed?
Schools must define the legal ground on which they can process individual students data. There are six such lawful bases:
- Legal obligation
- Protection of vital interest
- Public task
- Legitimate interest
if the school looks to use student data for anything beyond a task in the public interest, or a specified educational purpose they need to obtain parental consent
School or school districts are required to notify parents in advance when disclosing the student's personal information to anyone outside that school or district, including persons, companies or organizations.
Parent and student rights
Vendors or other third-parties cannot re-disclose student data without parental notification and consent or from students above 18 years of age
Student data privacy and security protections
Student private data must be encrypted at rest and in transit with encryption, including any passwords. All appropriate parties that have access and deal with student records must also go through appropriate training regarding this
Student data cannot be used for commercial purposes
Finally, student data cannot be used, shared or sold in any way for commercial purposes and the school must not allow advertising on the instructional software that it assigned to its students
As you can see, as the notion of data privacy has evolved in the last few years, educational institutions have a much bigger responsibility today to protect student privacy rights than ever before.
We hope this short guide will help schools and educators safeguard their student data privacy a little better.