The Children’s Internet Protection Act also plays a role here. “CIPA is perhaps the most overlooked regulation” when it comes to student data privacy and security, Sander says. “Content filters are used as the measure for CIPA compliance, but as more student information is moved online in cloud storage, content filters cannot protect student data from ‘unauthorized disclosure, use, and dissemination of personal information regarding minors.’”
Other relevant laws include the Protection of Pupil Rights Amendment, which outlines restrictions pertaining to student privacy in federally funded surveys or evaluations. In addition, schools funded under the Individuals with Disabilities Education Act must ensure the confidentiality of personally identifiable information.
In addition to federal laws, 42 states and the District of Columbia have passed more than 128 student privacy laws, says Jim Siegl, a senior technologist with the Youth & Education Privacy team at the Future of Privacy Forum.
What Happens if a School Breaches FERPA?
To meet the demands of FERPA, a school must “take reasonable precautions to ensure that someone who doesn’t have a legitimate educational interest in accessing the records can’t get access to those records,” Rooker says. “If you’re doing emails outside, encryption is a reasonable precaution. If you’re storing sensitive information, make sure you have your firewalls in place.”
A breach occurs when protected student data is exposed to outside eyes, or a district simply fails to take reasonable precautions to protect data. Breaches can result in an investigation by the U.S. Department of Education.