In working with school districts and charter schools, our firm has learned that many clients may have entered into agreements that lack key contract terms necessary to protect student data privacy. In other cases, we have seen districts enter into what appear to be short contracts with straight-forward terms but that incorporate more onerous terms that the district may not have seen. In light of increasing risks for contract disputes and for allegations of liability against schools, we urge clients to take the steps outlined in this alert to set forth a clear policy for the sharing of student data with third parties. These steps can be applied through future contracts and can be identified and amended in existing contracts that lack necessary protections.
More and more school districts are entering into agreements that involve the sharing of student data, including data that could potentially identify students. These agreements include contracts ranging from essential day-to-day operational services such as student information systems and agreements for technology products such as photocopiers and telephone systems to contracts for the use of educational technology in classrooms like Google Apps for Education. These agreements also include contracts with organizations and other entities to conduct studies on behalf of school districts and schools for the purposes of improving instruction. Even certain agreements with consultants working on site may be implicated. Some of these agreements are entered into, perhaps even unwittingly, by teachers and others who are looking to use innovative applications and software in classrooms with students and sign onto “click-wrap agreements” but who may not fully understand the terms of these contracts and the implications on student data privacy.
At the same time, parents are increasingly concerned about districts sharing data about their children. Legislation is working its way through many states, including Illinois, in an effort to protect student data privacy. The risk for liability is growing, whether based on lawsuits from parents who believe their student data has been improperly shared or breached or contractual disputes with vendors attempting to deflect blame when a breach or other misconduct involving student data occurs.
In working with clients, we have learned that many would benefit from more robust policies and procedures to ensure that contracts contain terms that sufficiently protect student data and are in compliance with state and federal law and best business practices. Policies and procedures should address who can enter into agreements to share student data, and ensure that training is given to confirm that employees understand any limitations on their roles. Such policies are crucial in mitigating the risk of liability, either in a parental lawsuit or a contract dispute with a vendor or researcher, for the school district or charter school. These concerns are not limited to contracts yet to be negotiated; audits we have conducted for clients have uncovered numerous contracts previously negotiated, but still in effect, that lack the necessary terms to provide protections to ensure the security of student data.
For this reason, we advise school districts and charter schools to, at a minimum, make sure that they are reviewing all the terms of a contract, including those incorporated terms, to ensure that the terms are not detrimental for the district or for its students. We further advise that school districts and charter schools implement or revise policies to ensure that student data is being adequately protected in contracts and agreements, including providing clear limitations on who may enter into data sharing agreements. School districts and schools also should conduct an audit to understand whether contracts currently entered into contain required and recommended terms.