FERPA 101 for EdTech Companies
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law designed to protect the privacy of student education records from unauthorized disclosure. The law applies to all schools and educational institutions that receive funding under a program administered by the U.S. Department of Education. Specifically, it grants parents or eligible students the right to: 1. Inspect and review the student’s education records. 2. Request the amendment of the student’s education records. 3. Consent to disclosures of PII contained in the student’s education records. 4. File a complaint with the U.S. Department of Education. What do I have to know?
- Schools cannot disclose Personally Identifiable Information (PII) from Student Education Records without written consent from parents/guardians. They can share Directory Information without prior consent, if the student’s parents/guardians have not opted out of this.
- There are a number of exceptions to FERPA’s disclosure mandates. FERPA’s School Official Exception holds that school officials can provide consent to disclose PII, in lieu of parental consent, in order to procure services from outside providers with “legitimate educational interests.” Once released, this information can only be used for the purposes specified in the disclosure agreement.
- De-identified data and metadata that have been stripped of all direct and indirect identifiers and Directory Information are not protected under FERPA because they are no longer PII.
- FERPA mandates that parents/guardians or students must be able to request and inspect their Student Education Records , and to make corrections if needed.
- If your terms of service declare for you the right to change the terms without notice, schools may be advised not to use your product. If your terms change and violate FERPA, schools will be held liable. Particularly if these terms are non-negotiable click-wrap licenses, schools will be unable or advised not to use your product.
What do I have to do? Understand what, if any, data you are collecting are protected under FERPA. If FERPA protected student data has been disclosed to you via the School Official exception, your use and maintenance of PII from education records is under direct control o f the school. You must ensure that:
- Education records are used as agreed upon in the contract.
- Education records are not redisclosed without the school’s permission.
- Schools are notified in advance of any changes to the terms.
- Schools are provided with access to the student’s education records.
Key takeaways: Investing time to understand and demonstrate compliance with FERPA will ease your entry into schools. Your partner schools will be able to enjoy the benefits of your product while protecting student privacy. By demonstrating your product’s compliance to FERPA, you accelerate your customer’s review cycle. FERPA glossary of terms
- Personally Identifiable Information (PII): FERPA’s definition of PII includes a student’s name, or the name or nickname of a family member, their address, any personal identifiers that are directly tied to one individual (like social security numbers, photos, phone numbers, medical records), any identifiers that are indirectly associated with an individual (like date of birth, detailed geographic information short of actual address), and any other information through which a “reasonable person within the school community” could identify the student.
- Education Records: Materials that are “maintained by an educational agency or institution or by a person acting for such an agency or institution,” and contain information directly related to a student.
- Directory Information: Name, address, telephone listing, email address, photograph, date/place of birth, major, grade level, enrollment status, date of attendance, degrees, honors/awards, most recent educational institution attended, and participation in sports and other activities. Does not include social security number.
- De-Identified Data: The data has been scrubbed of all personally identifiable, and indirectly identifiable, information and there is a reasonable determination that the information could no longer facilitate the identification of a student.
Additional information about FERPA and student data privacy:
This FERPA 101 is not legal advice . Instead, we hope to introduce basic issues of FERPA and student data privacy, and help EdTech companies consider protections for student data.