Security

Working Remotely? Here’s How to Maintain FERPA Compliance

Privacy protections under the Family Educational Rights and Privacy Act still apply, no matter where or how school takes place.

Micah Castelo

Twitter

Micah Castelo is a web editor for EdTech: Focus on K-12. Her experience includes education and community news coverage for the Syracuse Post-Standard and international news reporting for the Pulitzer Center on Crisis Reporting.

For many students and educators, back to school this year means a return to extended remote learning. But teaching and learning for a longer period of time in this new environment — which is often virtual and technology-heavy — can make it harder for schools to protect student data.

School leaders and teachers, in particular, are worried about violating the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records, when holding classes online.

Consider this scenario: Some students at Clark County (Nev.) School District can’t attend classes livestreamed online. However, teachers can record their classes and post them online to ensure those students can still view them. “But I also feel like we’re walking a tightrope between how much we can record legally and how much we can provide families,” said Vicki Kreidel, a second-grade teacher at CCSD’s Heard Elementary School, in an interview with KVVU-TV.

With many schools adopting new online tools, conducting more videoconferencing calls and collecting data to monitor student progress and health, it’s even more crucial to understand and uphold FERPA. But how does the regulation apply to a virtual learning environment? And how can educators and other school employees maintain FERPA compliance, no matter where school takes place?

How Does FERPA Apply to Online Classrooms?

While FERPA does not address which applications or online tools are safe for teachers and student to use, schools must ensure any third-party vendors they work with are compliant with the regulation.

According to guidance from the U.S. Department of Education’s Student Privacy Policy Office (SPPO), schools can disclose students’ education records — or the personally identifiable information (PII) in those records, such as their date of birth or social security number — without consent only to service providers that meet the following criteria:

Performs an institutional service or function for which the educational agency or institution would otherwise use its own employees;
Has been determined to meet the criteria set forth in the educational agency’s or institution’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records or PII;
Is under the direct control of the educational agency or institution regarding the use and maintenance of the education records or PII;
Uses the education records or PII only for authorized purposes and does not redisclose the education records or PII to other parties (unless the provider has specific authorization from the educational agency or institution to do so and it is otherwise permitted by FERPA).

The SPPO also notes that educators may record their classes and share the recordings as long as they don’t disclose any PII. If the recordings do, then appropriate written consent must be obtained first. The same guidance applies if an educator has to teach or conduct a meeting from home with others in their household present.

DISCOVER: Ask these questions before selecting technology for online learning.

How to Set Up an Online Classroom for FERPA Compliance

So, what can schools do to better protect student privacy under FERPA? Consider these tips:

Have a policy for vetting ed tech tools. Schools should create a process for choosing new ed tech tools if they don’t have one already. This helps teachers and students figure out which apps, online platforms and educational websites they can safely use for learning. The DOE has a checklist schools can refer to as they evaluate ed tech products and vendors’ Terms of Service agreements. Schools should also work with their legal counsel and information security specialists to properly vet any tools against FERPA requirements, according to the DOE.
Follow data privacy and cybersecurity best practices. Schools should generally look for products with strong security features such as multifactor authentication and data encryption. But it’s also important to follow other best practices, such as providing role-based access to sensitive data, building an inventory of authorized and unauthorized assets, connecting to the district’s VPN while on unsecured networks and adopting a zero-trust model. Teachers and other school employees should also remember to use only work devices when accessing PII or any other sensitive data and to keep those devices locked when unattended.

MORE ON EDTECH: Improve your cybersecurity program with these tips.

Be transparent. Many questions about FERPA will arise in this uncertain environment. Therefore, it’s best for schools and districts to regularly communicate with parents and students about how they handle student data. “With online educational services, it can often be unclear what information is being collected while students are using the technology. Even when this information is not protected by FERPA or other privacy laws, it is a best practice to inform students and their parents of what information is being collected and how it will be used,” the Department of Education states. The DOE suggests creating an educational technology plan with guidelines for protecting student privacy and information. They also recommend schools post copies of the privacy and security provisions in their contracts with third-party vendors on their website.

It’s clear that schools and districts must take a deliberate approach to adopting educational technology to protect student data and create a secure working environment for their staff. FERPA will still remain in effect even beyond this time of remote learning — both inside and outside the school building.

Drazen_/Getty Images