What You Need To Know About Using Student Data
Privacy and security attorney Bret Cohen shares how schools and districts — and teachers — need to think about their use of online services that require personal student information.
- By Dian Schaffhauser
Teachers jump onto free online education services like Costco members at sample stands — continually trolling for something that's new and different and worth the investment. But the moment they start adding student information, such as name and contact information, they could be breaking federal laws. In this two-part series, Attorney Bret Cohen covers the basics of what schools, districts and teachers should understand about the use of student data for educational purposes.
Cohen practices as an associate in the areas of privacy, cybersecurity, antitrust and consumer protection for Hogan Lovells, an international legal practice that has worked with both school districts and service providers that cater to education. In March the law firm issued an alert about education and privacy to explain a February guidance document from the Department of Education on how to protect student privacy while using online educational services. Cohen will be speaking in a panel at SXSWedu 2015 on the same topic.
Dian Schaffhauser: We're talking about the outsourcing of certain educational services where there's student data generated and maintained. What regulations come into play here on a federal level?
Bret Cohen: On a federal level the primary regulations are [Family Educational Rights and Privacy Act (FERPA)] and Protection of Pupil Rights Amendment (PPRA). These laws were adopted a while ago and weren't designed in our modern interconnected ecosystem, where data can be stored in the cloud and processed rapidly. A lot of the difficulties that [we] see are based on an inability to translate older law into a modern context.
The general requirement of FERPA is that schools are not allowed to disclose the personally identifiable information of students, which is broadly defined, without parental consent or, if the student is [18 or older], without the consent of the student. This is the general rule. So you can see how this would limit the use of service providers.
But there are some exceptions, the primary one being that certain third-parties can be deemed "school officials" subject to an exception to the rule prohibiting the disclosure of this information if they perform an institutional service or function and are under the direct control of the school or district.
This was not something envisioned for third party electronic service providers when the laws were first written. But they've been shoe-horned into this exception.
Schaffhauser: What kind of data are we talking about?
Cohen: We're talking about education records. This is pretty broadly defined [as] almost anything that a school stores about its students, and it can include just their name and contact information. There are separate exceptions to that for directory information, but in theory all of that information is protected under FERPA
Schaffhauser: When does a district or school know that it needs to pay attention to these regulations?
Cohen: Any time that it gives access to its systems to a vendor or that it transfers information to a vendor to do some sort of procedure on its behalf, it should raise the red flag to look at this as an issue that might be subject to FERPA.
Schaffhauser: Let's start with teachers. They have access to these great online services that are often free to use. What do teachers need to understand these data privacy rules in regards to that kind of usage?
Cohen: Teachers need to understand that when they're using one of these services, they're effectively acting as an agent of the school, especially if they're doing it in the context of official instruction to their classes. When that happens, the disclosure of data is subject to FERPA and PPRA, and there could be repercussions to the school for doing that.
Schools should, of course, have policies and procedures on when teachers are allowed to use these types of third-party services, which can be great for the students and can provide [more] options for schools and districts that don't have the resources to purchase more comprehensive software or services.
But at the same time, the use of those services can bind the school. The terms of services that you click through before you join one of these services is a contract between whoever signs up for it and the service. Because these terms are defined by the services, they frequently are take-it-or-leave-it types of terms.
What teachers should understand is that there are repercussions if they are going to provide student information to third-party services in a way that is going to violate FERPA or affect the privacy of students.
Schaffhauser: What can schools do to help teachers take advantage of these services?
Cohen: Ideally under FERPA, somebody at the school would be evaluating these contracts and making sure they use the proper terms and make the proper guarantees about how the service is going to use student information. Ultimately FERPA isn't going to apply to the service provider; it's only going to apply to the schools.
There are some service providers that have taken a cue from some of the guidance out there, and they have designed services that include terms that incorporate FERPA concerns into them. For example, they expressly state that the service won't use student information for purposes other than providing the service, which is required for the use of that "school official" exception, and do other things that would be acceptable under FERPA.
It would be helpful for schools or school districts to have somebody looking at these issues centrally. They could whitelist services or products that have already incorporated these types of considerations or that the district has been able to negotiate with service providers. But absent something like that — some sort of pre-approval — it really is a risk for teachers to go out on their own and use a service without having somebody within the system evaluate whether it's going to comply with the district's obligations.
Schaffhauser: Is there text that teachers and districts should be looking for in the service terms that clue them in about FERPA compliance?
Cohen: It really is going to require a review of the contract terms in their totality before you can fully confirm that it complies with FERPA. But there is some language they can look for, such as a prohibition on further providing the data to third parties without there being some nexus to the original purpose that the data are used for. There should be language in the contract that effectively tells the school, "We are just using this to provide a service to you. And you have the right to control the information and tell us what to do with it."
The bigger concerns will probably arise in terms of service for services that aren't necessarily geared towards education, for example, general cloud storage services. If they haven't been designed for education and they don't include the language that would be needed to comply with FERPA — because they weren't considered in the education context — it's something that you might not be able to use off the shelf without doing a further dive into the specific terms.
Anything that mentions FERPA or complying with privacy laws — that's at least a good start. One example is Google Apps for Education. I have seen reports that question what they do with student information. But in the end, they are designing their service to comply with FERPA and putting terms into their standard terms and conditions that will limit the ways in which they'll use information that they don't do with their other services. That's a good starting point.
But in the end the law and the guidance make clear that it is the obligation of the schools to do some sort of independent assessment on their own to make sure the service provider complies with FERPA.
In Part 2, Attorney Bret Cohen examines issues regarding student privacy that districts and schools themselves should consider.
Schaffhauser: What You Need to Know about Using Student Data, Part 2
By Dian Schaffhauser
In part 1, Attorney Bret Cohen studied teacher use of online services that use or generate student data. In part 2 of this two-part series, Cohen examines issues related to student privacy that districts and schools themselves should consider.
Schaffhauser: Are there other concerns that district people should have that teachers may not have?
Cohen: School districts have to walk a tightrope between using these great services and properly addressing privacy concerns of the parents and others in their district. That's not necessarily a straight FERPA issue. But if you look at some of these services that are being developed to comply with the law, that wasn't enough for some of the parent groups and elected officials who had expressed concerns over the services' use of student information.
inBloom is the prime example. There are many products out there that do the same thing that inBloom did but didn't get the type of publicity that it did. From what I've read, they were doing everything right to comply with the privacy laws, but they didn't engage the right people from the outset. States and districts entered into contracts with them, and parents said, "Why didn't I have a say in this?" It totally torpedoed the project and ended up in the sinking of the company.
The point is, in addition to the purely legal issue, it's really something that school districts should look at from a PR and political perspective and to engage the right people throughout the process.
Schaffhauser: What form should the parental notification take? Is it good enough to include language on the website or should the district have a document that they sign explicitly?
Cohen: From a legal perspective, if the service is going to qualify under the school official exception, no notice is technically required because the school is properly taking privacy into account and because the service is only using it for the benefit of the school. In terms of providing notice to parents and keeping them attuned to this, it would be helpful to make this information available to parents.
I know a lot of schools are using more sophisticated mechanisms of distributing information to parents about what they're doing in the classroom. It would behoove schools to include more information in those types of distribution mechanisms about the types of services that are being used in the classroom. Not just about the types of services but about how the district or school has evaluated how the service will use and protect student information. That can go a long way to avoiding some of the issues that might arise when the school enters into a contract with the service and hands over student information without consulting with parents, even if it complies with the law.
Schaffhauser: Talk a bit more about how to tell the difference between a service deemed a school official and a service that just does something a district needs or wants.
Cohen: Schools can use services for a broad variety of purposes. But in order to qualify for the school official exception, it has to be clear from the contract or from the relationship that the service provider is only going to use student information to provide whatever the institutional service or function is. There is the limitation that the purpose has to be an institutional service or function for which the school or district would otherwise use its own employees. It's not something they can use to sell lists of students in order to provide marketing to them or anything like that.
There is a broad ability to use service providers under this exception. In that respect it's easier for schools to do this without getting individual parental consent for lots of the educational services cropping up. The tricky part is making sure that those services have the proper contractual restrictions in place and meet the other standards that are required under the educational privacy laws and the school official exception.
A strategy that a lot of schools use is to inform parents about what they're doing and then rely on the school official exception to use the service provider, without getting explicit parental consent. That doesn't always satisfy parents, but it is at least compliant with the legal requirements.
Schaffhauser: How does the Children's Online Privacy Protection Act play into all of this?
Cohen: COPPA requires parental consent for online services to collect their children's information for children under 13. There are interpretations of that law that allow schools to stand in the place of parents in providing that consent. But it's a little different in that the school needs to inform parents and get consent for the purposes of that law if students are actually going to be providing their information directly to an online tool or teaching aid. That's another layer of considerations for schools.
That's more of an issue actually for the service providers. They are the ones that are directly subject to that law.
I've worked with a number of services that are taking compliance with that particular law very seriously because they're subject to penalties under it, and they have strict procedures in place to make sure the school districts have the consent of the parents or that they get the consent of the parents themselves.
Schools have the benefit of being able to reach out directly to parents, whereas a lot of the online services don't always have that option, which is one reason they sometimes rely on schools to get the consent on their behalf. But it tends to work a little more smoothly when the school or district is retaining the service, because they can have [everything] in place to make sure nothing slips through the cracks in terms of giving the proper consent or making sure the contracts say the right things.
The real tricky situation I've found in providing this advice is when the teachers are going off and signing up for these services themselves and enrolling their students — in some cases without the involvement of parents. In many cases they don't consider those types of things before they click the "submit" button and upload the personal information of the students in their class. That's the reason why it's important for schools and district to have dialogs with teachers and parents, so everybody knows what's going on.
Schaffhauser: Are these student data privacy concerns overly restrictive and slightly paranoiac?
Cohen: That's a very good question. I think it's important because while the majority of service providers want to do the right thing, if there aren't the proper contractual restrictions in place, there's a possibility of misuse of student information down the road. That's always a possibility whether or not there's a contract. But if districts and schools aren't taking time to assess the companies that they're providing student information to and what rights those companies have, then there's a possibility for student information to be used for a purpose that wasn't originally intended by the schools.
This is an issue that privacy law generally seeks to address: How tightly should we restrict uses of information so that we don't harm the types of people whose information is being used?
It's something that's a great concern, because there's so much you can do with the information you collect about students. If it's retained over a long period of time, there's a concern that [a service provider could] use information about a child during their formative years to create some sort of profile or other type of record about who they were at that time that could affect their opportunities later on.
That's a legitimate concern. There are lots of companies out there collecting information and figuring out different things it can be used for. At the very least, parents and districts should know how their children's information is being used and to whom it is being disclosed so they can make a proper determination about whether to entrust the service provider or vendor with student information.
At the same time, the types of services that are being used shouldn't be viewed as the "boogey man" in this relationship. It was sad to see what happened to inBloom. They were a non-profit corporation, and their business model was to try to provide these types of record services to schools and districts that were underserved for a lower price. The service actually could have benefited lots and lots of school districts that don't have the resources in an economy where districts are frequently going without the resources that they need.
This is one of the reasons I'm speaking about this. The issue would benefit from a reduction in the rhetoric but also a better understanding [on the part] of schools, parent groups and service providers.
There are lots of great things that you can use the data for. But in the end you want the school district and the schools to be in control of those purposes. I think the service providers in this industry are very vested in doing that. They don't want to use the information for their own purposes unnecessarily. They have developed a product that has filled a need of schools and districts, and to the extent you can meet the demand that's out there with supply that's cheaper and more powerful — quite frankly — than existing alternatives, it's to the benefit of all the parties involved.