Knowledge Books

HomeDigital ProtectionsCOPPA ComplianceInformation & Guidance for PLCS Staff

1.1. Information & Guidance for PLCS Staff

Protecting Student Data in a Digital World

Information & Guidance for PLCS Staff

Introduction

The modern classroom incorporates a wide array of web-based tools and services to assist and track student learning, personalize instruction, and overall improve education.  These tools create vast amounts of data about students who use them.  In turn, the tools also create a vast amount of responsibility for the schools who employ them.  School districts have a responsibility to safeguard the privacy of student records that are maintained by the district.

To fulfill this responsibility, it is important to understand both the school district’s legal obligations and students’ rights.  A variety of federal and state laws impose requirements and restrictions on how student information can be stored, accessed, and shared.  This handout will introduce the laws that govern the disclosure of student information to app developers, online service providers, and other third parties.

FERPA

The Family Educational Rights and Privacy Act (FERPA) is the foundational law that protects student records.  All school districts that receive federal funding are required to comply with this federal law.  Failure to comply puts the school district’s federal funding at risk.  FERPA governs the disclosure of personally identifiable information (PII) in education records and outlines under what circumstances a school district can disclose records that contain PII with and without parental consent.  Generally, an institution is prohibited from disclosing PII from an education record without consent, unless the disclosure meets an exception.

Personally Identifiable Information.  FERPA primarily protects personally identifiable information.  FERPA’s definition of PII includes: the student’s name, the name of the student’s parents or family, the address of the student or family, a personal identifier (social security number, student number, biometric record, etc.), other indirect identifiers (birthdate, place of birth, mother’s maiden name), or other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

The Directory Information Exception.  Some personally identifiable information, such as a student’s name or grade, can be released without prior written consent as directory information.  A good example of this exception in use is when a school publishes a yearbook or a program for an athletic event.  The extent to which the directory information exception applies depends on the school’s policy.  Parents must receive notice of and can opt out from the school’s use of the directory information exception.

The School Official Exception. The School Official Exception is the primary exception used to allow technological data to be shared with third party developers and service providers without prior written consent.  For a disclosure to fit within the School Official Exception, the third party to whom disclosure is made must be providing a service or function that would otherwise be completed by the school.  Third parties operating as school officials may only use PII from education records to perform the specific services requested.

The school district must also retain direct control over the use and maintenance of the disclosed records.  Direct control is usually established by creating a written agreement with the third party.  This agreement, often a “click-wrap” or terms of service agreement, should establish terms for the security, collection and destruction of student data.  While such agreements are usually long and complex, it is important you review them to ensure they comply with relevant legal obligations.  In some cases, the district can negotiate the terms of the agreement.  This is especially true when the district agrees to a multi-year contract with a vendor.  

To summarize, the school official exception allows you to disclose PII from education records if:

  • The disclosure is to a third party performing a service or function for the district that the district would otherwise perform for itself;
  • The use of the information is limited to the performance of that service or function; and
  • The school maintains direct control over the information, often through a written agreement.

Conclusion. FERPA allows you to share PII from education records with online developers and providers if:

  • You have prior written parental consent (it's always OK to disclose with prior written consent);
  • The disclosure is of directory information as defined by school policy; or
  • If the disclosure meets the requirements of the school official exception. 

There several other exceptions to FERPA, such as in cases of emergency or a court order.  If you have any questions about sharing a student’s PII you should contact the administration. 

COPPA

FERPA is not the only federal student privacy law of which educators should be mindful.  The Children’s Online Privacy Protection Act (COPPA) is a federal statute designed to place limits on the information which operators of websites or online services can collect from children under the age of 13.  COPPA is the reason Twitter, Instagram, and Facebook have a minimum user age of 13.  COPPA requires websites to verify parental consent before collecting PII from adolescents online.  The aim is to give parents more control over what information is collected from their children. 

Schools are not directly regulated by COPPA, but as the digital age has moved into the classroom, schools have increasingly been put in the middle of the relationship between vendors and parents.  The Federal Trade Commission (FTC), which enforces COPPA, has said that schools can consent to the collection of information of young children by internet operators.   Such consent must be consistent with district policies and notices.

Other Federal Laws

FERPA and COPPA are the primary federal laws that protect student data privacy.  However, depending upon the context of the situation, other laws may apply.  For example, in the special education context the Individuals with Disabilities Education Act (IDEA) can impose additional obligations on the maintenance of student records.  Similarly, when the context of disclosure involves student surveys or evaluations, the Protection of Pupil Rights Amendment (PPRA) may be implicated.  Again, when in doubt as to whether student information should be disclosed, or how much information about a student should be disclosed, staff should contact the administration.

SOPPA

The Student Online Personal Protection Act (SOPPA), is a Nebraska law that addresses the use of student data.  SOPPA restricts the use of student’s covered information by operators of interactive computer services.  Much like COPPA, the legislation imposes obligations on providers and developers rather than school districts themselves.  Despite not being directly obligated under this law, educators should work to ensure that the providers they contract with are in compliance with SOPPA.

Overview Conclusion

Depending on the context, an array of laws can restrict the disclosure of student records to online operators. FERPA is the most widely applicable. FERPA requires consent prior to the disclosure of PII, unless an exception applies. A number of exceptions, especially the School Official Exception, can apply to allow disclosure of data to third-parties. 

Federal laws such as COPPA, IDEA, and the PPRA may apply depending upon the context.  At the state level, SOPPA will apply to disclosures to operators of computer services.  All agreements between the district and online operators must be reviewed to ensure that the data is disclosed and maintained in a legally compliant manner.  Staff members do not have the power to agree to a contract on behalf of the school district without administration approval.

What does this all mean for PLCS staff?

PLC Schools has taken several steps to inform parents of how student records information is shared with others.  Board policy and procedure 5501 available at www.plcschools.org provides a general framework for our practices.  Parents can also find a list of the various PK-12 web-based services and apps the district utilizes with students at the website.  This is updated on a regular basis to reflect the natural evolution that occurs with educational technology resources.  In addition, parents provide consent (or can refuse) for school district staff to share student directory information with third-party web-based and software application providers when they complete the online verification process at the start of the school year.

There are also steps that staff can take in order to protect the identity of their students, parents and themselves when participating in our digital world.  The bulleted list below is intended to provide guidance to staff members when using web, app or software applications with students or parents. 

  • Access or invitations to monitor or participate in student accounts (e.g., Seesaw; Canvas; etc.) should only be given to parents or guardians with educational rights
  • Parents should not be required to sign-up or join a web or app-based service being used with their child (e.g., Seesaw).  These tools must remain optional for parents. 
  • Web or app-based communication used specifically in a classroom should not circumvent regular building or district communication.  These tools are intended to be an enhancement to these communications practices. 
  • Staff should check with their school principal to see if the parents of any of their students have placed limitations on the use of directory information.  If so, this would prohibit the teacher/school from using it in a web-based or software application that requires this type information without specific parental consent to do so. 
  • Staff should avoid using full student names, student emails and other personally identifiable information unless it is essential when using a third-party web-based services or applications.  Staff should exercise great care before doing so.  Exceptions may apply for resources that have been purchased and provided for use in the district adopted curriculum (e.g., HMH Player; IXL; Canvas; Office 365; etc.).  Staff may consider using other naming conventions to identify students such as first or last name initial(s) combined with a full first or last name (e.g., Grant S. or G. Schwartz), school student ID number or an avatar (or pseudonym) name. 
  • When a student email is necessary to utilize an essential web or app-based tool, staff should use the school district issued email address and not a students’ personal email.  PLCS email includes some additional filtering and monitoring features that are not be available on a personal email account.  

Conclusion

Digital tools have gone from a nice to have resource to a critical strategic asset in our classrooms.  This has enhanced the learning environment in meaningful ways while concurrently making it more complicated to protect students.  The objective of this guidance is to provide a simple and manageable set of practices that staff can follow in order to protect the personally identifiable information of students while maintaining the innovative potential of instructional technology.  If you need general support in carrying out this guidance we recommend that you talk your building administrator.  If you have a specific question regarding a web-based or software application, you may email helpdesk@plcschools.org and your question will be directed to the staff member that can best assist you.

Downloads

PLCS Online Privacy - COPPA Compliance Video