New federal guidance addresses student privacy issues


On Board Online • March 10, 2014

By  Pilar Sokol
Deputy General Counsel

Advances in technology offer school districts opportunities to support student learning in ways that were once unimaginable. It is now possible, for example, for students and their parents to access class readings and information on a student’s progress, as well as to view tutorials and complete homework assignments online. It is also common for districts to use third parties to provide online educational services, raising concerns about student privacy and safety.

Recognizing both the importance of technology in education and the need to protect students, the Privacy Technical Assistance Center (PTAC) at the U.S. Department of Education (DOE) recently issued a guidance document entitled Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices.

The guidance defines online educational services to include computer software, mobile applications (apps), web-based tools and other educational, informational and communication technologies that students and/or their parents access via the Internet and use as part of a school activity. It does not include online services that are used by school district staff for administrative purposes but are not accessible by students and/or their parents.

Issues can come up, for example, when a school district decides to use a system that requires students and their parents to log in and gain access to online educational services through a student account. To create such accounts, a district would likely need to make available to third-party providers student names and contact information from student education records. Provider misuse of such data would place student privacy and safety at risk.

DOE recommends school districts:

  • Be aware of all the relevant federal and state laws, including the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy and Protection Act (see sidebar below).
  • Be aware of the online educational services currently in use by the district and the scope and range of student information being shared with providers.
  • Adopt and enforce policies for evaluating and approving online educational services including both formal contracts and the acquisition of “click-wrap” software simply by clicking “accept” to a provider’s terms of service.
  • Use a written contract or legal agreement that helps the district maintain direct control over the use and maintenance of student data, even when FERPA is not implicated.
  • Be as transparent as possible with parents and students about how the district collects, shares, protects and uses student data, as well as the type of information collected when students use online educational services and how that information will be used.
  • Develop, as appropriate, an education technology plan for addressing student privacy and information security issues, and soliciting parental feedback on the plan prior to its implementation or the adoption of new online education services.
  • Consider the appropriateness of parental consent even when FERPA does not require such consent.
  • Ensure contractual agreements with third party providers have adequate data security provisions.

Caution regarding ‘click-wrap’ agreements for consumer apps
The guidance notes that it is easy for school teachers and administrators to download and use consumer apps software by simply “clicking” to accept the terms of service set by the apps provider, and without understanding how the provider will use and secure student data.  Furthermore, these so-called “click-wrap” agreements entered into by district staff essentially establish a contractual relationship similar to a contract between the provider and a district as the end-user.  Therefore, it is important that district staff clearly understand limitations on their authority to enter into such agreements.

In addition, because the choice often can be between accepting the apps provider’s terms or not using the app, DOE recommends that districts:

  • Compare the provider’s terms with those DOE recommends that districts include in their contractual agreements with third party providers of online educational services.
  • Check if the provider is allowed to amend the terms without notice.  This would affect a district’s ability to directly control the provider’s use and maintenance of FERPA-protected information made available to the provider under FERPA’s legitimate educational interest disclosure exception.
  • Regularly review click-wrap agreements to identify changes and a possible need to re-evaluate the continued use of the service.
  • Print or save a copy of the terms of service agreed to.
  • Limit who may authorize click-wrap agreements and establish a process for exercising that authority.


Read the guidance at http://goo.gl/chYKWA.




Back to top