In January 2015, the US Department of Education has issued an advisory to all elementary and secondary schools on data privacy and security issues to be considered in negotiating agreements with online service providers or mobile applications. The Department also released “Model Terms of Service” that provides specific recommended provisions for such agreements, along with a short video dramatizing its recommendations.
Is the Department of Education Changing the Law Regarding Student Data Privacy?
No. This guidance document does not change the statutory or regulatory requirements related to data privacy and security in the educational field. In fact, the Department is quite explicit that the guidance embodied in the “Model Terms of Service” goes beyond what is required by the Family Educational Rights and Privacy Act (“FERPA”) and other federal laws.
FERPA applies to public K-12 schools as well as any other educational institution regardless of grade level receiving federal funds, including but not limited to federal student aid. Among other things, FERPA restricts a school’s ability to disclose or share personally identifiable information (“PII”) contained in a student’s education record without prior written consent from the parent of a student under the age of 18 or from the student is he or she is over 18. FERPA provides some narrow exceptions to the prior consent requirement, including in some circumstances, the sharing of information with outside service providers.
If They Don’t Change the Law, Why do the Model Terms of Service Matter?
The Model Terms of Service go beyond the requirements of statute towards what the Department expects to see in provider agreements.
Schools administrators rely on the Department of Education, an important source of funds, and they generally want to keep the Department happy. While the Model Terms of Service do not change the law, they clearly indicate the provisions the Department expects schools and districts to include in their contracts with service providers. At first glance, the Model Terms of Service appear to provide an easy-to-follow roadmap for schools and districts to follow in negotiating agreements with service providers: simply remove language about which the Model Terms issues a “WARNING!” and replace with language the Model Terms deems “GOOD!”
Of course, contract negotiations and amendments are rarely so easy. The implications of such changes in any one contract (especially when such changes go beyond – sometimes well beyond – the actual legal requirements) could be significant.
What do the Model Terms of Service Recommend?
The Model Terms of Service identify twelve privacy-related provisions schools should look for in agreements with service providers. In its release, the Department has provided schools with what it considers “Best Practice” language (which it labels “GOOD!”), as well as language that “should not be included” (which it labels “WARNING!”).
In short, the “Best Practice” language the Department recommends would:
- establish a broad definition of “data” subject to an agreement’s restrictions, potentially including information that may not be covered by FERPA, such as metadata;
- significantly restrict the ability of a service provider to use even de-identified data for secondary purposes;
- prohibit a service provider from using any student data for marketing or recruiting to students or their parents, including directory information;
- prevent a service provider from modifying its terms of service or use without the express prior consent of the school or district;
- limit the data that the service provider may collect;
- limit the purposes for which the service provider may use the data;
- prohibit service provider data-mining;
- restrict the ability of the service provider to share data without prior consent by the school, even with subcontractors;
- require specific data destruction or transfer provisions;
- ensure that schools retain the ownership, property rights and licenses to all data;
- require a service provider to provide the school with access to the data it holds; and
- mandate industry standard security controls, including appropriate administrative, physical, and technical safeguards coupled with risk assessments and incident response plans, to secure information from being compromised.
The Bottom Line
The sharply heightened focus on student data security and privacy is the new normal. Companies that sell into the education market are increasingly subject to restrictions that challenge their ability to maintain service levels while addressing client concerns. While at the most basic level some of the “best practices” recommended by the Department are already common practice and follow current federal and state legal requirements, others go well beyond current requirements or expectations. Knowing the difference and drafting language designed to meet a company’s specific circumstances will be critical to negotiating workable agreements and satisfying the overarching desire of schools and districts to stay on the right side of the Department. Companies that fail to recognize this imperative will find their markets sharply constrained and ultimately vanish.
The primary issue for schools is simple: it is the schools, the recipients of Federal support, and not the service providers, that bear the risk of liability for violations of FERPA. It is therefore not only logical but a legal imperative for schools to maintain reasonable control over student data. Schools will expect their agreements to provide sufficient protective language to preclude third party uses that may violate FERPA or other existing law. Further, schools will expect their service providers to actually use student data only as allowed and to take appropriate steps to protect student data against security compromises.
While the Model Terms of Service provide a useful point of information to consider while reviewing or negotiating an agreement, they are not and should not be the only source. The Model Terms may be optimized from the perspective of the Department of Education, but they do not define the boundaries of current law.
The Model Terms of Service are the opening salvo of a much larger discussion of student data privacy at the federal level, reflecting recent actions by state governments that impose similar and even more severe restrictions on companies that provide services to schools or which collect and process student data. The White House and Congress are in the process of negotiating legislation directly addressing student data privacy. Over the relatively near term, we likely are going to see a variety of student data privacy laws and regulations emerge, many with significant implications for both schools and the ed tech companies that service their needs.
An already complex area of law and policy is about to become more so.