How Does FERPA Apply to Online Classrooms?
While FERPA does not address which applications or online tools are safe for teachers and student to use, schools must ensure any third-party vendors they work with are compliant with the regulation.
- Performs an institutional service or function for which the educational agency or institution would otherwise use its own employees;
- Has been determined to meet the criteria set forth in the educational agency’s or institution’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records or PII;
- Is under the direct control of the educational agency or institution regarding the use and maintenance of the education records or PII;
- Uses the education records or PII only for authorized purposes and does not redisclose the education records or PII to other parties (unless the provider has specific authorization from the educational agency or institution to do so and it is otherwise permitted by FERPA).
The SPPO also notes that educators may record their classes and share the recordings as long as they don’t disclose any PII. If the recordings do, then appropriate written consent must be obtained first. The same guidance applies if an educator has to teach or conduct a meeting from home with others in their household present.
How to Set Up an Online Classroom for FERPA Compliance
So, what can schools do to better protect student privacy under FERPA? Consider these tips:
Have a policy for vetting ed tech tools. Schools should create a process for choosing new ed tech tools if they don’t have one already. This helps teachers and students figure out which apps, online platforms and educational websites they can safely use for learning. The DOE has a checklist schools can refer to as they evaluate ed tech products and vendors’ Terms of Service agreements. Schools should also work with their legal counsel and information security specialists to properly vet any tools against FERPA requirements, according to the DOE.
Follow data privacy and cybersecurity best practices. Schools should generally look for products with strong security features such as multifactor authentication and data encryption. But it’s also important to follow other best practices, such as providing role-based access to sensitive data, building an inventory of authorized and unauthorized assets, connecting to the district’s VPN while on unsecured networks and adopting a zero-trust model. Teachers and other school employees should also remember to use only work devices when accessing PII or any other sensitive data and to keep those devices locked when unattended.
- Be transparent. Many questions about FERPA will arise in this uncertain environment. Therefore, it’s best for schools and districts to regularly communicate with parents and students about how they handle student data. “With online educational services, it can often be unclear what information is being collected while students are using the technology. Even when this information is not protected by FERPA or other privacy laws, it is a best practice to inform students and their parents of what information is being collected and how it will be used,” the Department of Education states. The DOE suggests creating an educational technology plan with guidelines for protecting student privacy and information. They also recommend schools post copies of the privacy and security provisions in their contracts with third-party vendors on their website.
It’s clear that schools and districts must take a deliberate approach to adopting educational technology to protect student data and create a secure working environment for their staff. FERPA will still remain in effect even beyond this time of remote learning — both inside and outside the school building.