Sep 26 2019

FERPA Compliance in the Digital Age: What K–12 Schools Need to Know

A new reliance on data means K–12 schools will need to have a modern understanding of student data privacy regulations.

More than 50 cities and towns have been affected by ransomware so far this year. That figure, which continues to grow, increasingly includes schools, putting students’ personal data at risk.

As of September 2019, at least 10 school districts have been in the news for their own ransomware attacks, and the U.S. Department of Education reports that hundreds of educational data breaches occur annually.

K–12 schools are already hard-pressed to protect student data under the Family Educational Rights and Privacy Act (FERPA) and to keep students safe from identity theft, fraud and extortion.

Now, some advocates are calling for FERPA, which was established in 1974, to be strengthened and more responsive to the cyber threats of today, including ransomware and data theft.

MORE FROM EDTECH: See how K–12 schools can protect students' data after graduation day.

States Score Low Among Privacy Organizations

The State Student Privacy Report Card,” released earlier this year by the Parent Coalition for Student Privacy and The Network for Public Education, gives no state the top grade — an A-plus — for their laws protecting students’ data. The top-scoring state, Colorado, earned a B.

“Digital record-keeping has replaced traditional paper files, classroom assignments and assessments are often delivered online via laptops or tablets, teachers use social media platforms, websites and ‘free’ apps in class, and many operational functions historically performed by schools are now outsourced remotely to contractors,” the report’s authors write. 

“As a result, students generate enormous amounts of sensitive electronic data about themselves every day, not all of which is clearly protected by federal law.”

This includes students’ full names, dates of birth and home addresses, as well as other sensitive information such as health records, special education referrals, and, in some cases, biometric data such as fingerprints and facial scans.

“Privacy laws in and of themselves are very, very complex and hard to interpret,” says Leonie Haimson, co-chair of the Parent Coalition for Student Privacy.

FERPA Changes Can Make Following Privacy Laws Confusing

The report continues, “Compounding the problem, FERPA has been weakened numerous times over the years through regulatory changes, making it easier for schools to collect and share this data with large private corporations, including Silicon Valley giants such as Google, Facebook, and Microsoft, as well as thousands of smaller ed tech companies, many of them start-ups who offer their wares for free to schools in exchange for access to student data.”

To fill these gaps, the report states, more than 120 student privacy laws in at least 40 states have been passed since 2013, creating a confusing patchwork of statutes.

Haimson says her organization believes these laws do not go far enough, and that FERPA has been weakened too much to be effective in protecting students’ data.

At issue, she says, is that FERPA was altered twice since it first passed in the 1970s, creating exceptions to share information and students’ records with vendors without parents’ consent.

“That’s why this data is flowing out all over the place, and it’s really hard to ever know how it’s being used,” she says.

MORE FROM EDTECH: Here are some ways K–12 schools can change their approach to FERPA.

K–12 Privacy Regulations Should Match Schools' Needs

In the past four years or so, Haimson says, discussion about strengthening FERPA to modernize and update the law has become more common.

“With the explosion of the use of ed tech tools, there’s increased disclosures happening, and that data isn’t really being protected,” she says.

Daniel Greene, a member of Beckage law firm, says each state has certain obligations under FERPA, and under the Children's Online Privacy Protection Act to some extent.

“Schools in an educational agency are responsible for the data of their students, and no one should have access to that besides parents, students and third-party service providers,” he says. “The understanding is that the laws and regulations also apply to those providers to protect that data as if they were the school.”

For example, he says, under the current law, a company providing surveillance cameras and software for a school must abide by the same laws a school lives by when it comes to protecting students’ data.

He says existing laws work if they are followed.

“Schools are in the business of educating students, but they need to be very aware of what is in their contracts and make sure they are holding vendors to what is in their contracts,” Greene says.

“Schools should always be thinking, ‘Why are we holding this information, how long should we hold it and who are we allowing to have access?’” he says.

He advises that school leaders ensure their third-party vendors have appropriate safeguards in place and make sure contracts hold them liable if something does go wrong.

“We live in a new world where there are really cool advances,” Greene says. “It’s just a matter of responsibly implementing them.”

D3Damon/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT