Last month, the U.S. Department of Education released guidance on the proper use, storage and security of student data being generated by new online educational resources. Published by the Department’s new Privacy Technical Assistance Center, the guidance titled “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices” provides answers to certain questions regarding schools’ and school districts’ obligations to protect student information under the Family Educational Rights and Privacy Act (FERPA) while using online educational resources. The Department also offers its best practices for using online educational resources. The Department generally advises that schools’ obligations under FERPA largely depend on the specific type of online educational resource being used.
For example, the Department states that whether student information used in online educational services is protected by FERPA depends on the particular type of online educational service being used. Certain types of online educational resources do not require that any personally identifiable information be disclosed, such as programs that allow students to complete interactive exercises without requiring a student to log in. Other resources, however, allow students and their parents to log in and access class materials, in which students’ names and contact information would need to be disclosed in order to set up student accounts. If personally identifiable information is disclosed to an online provider, schools and school districts must either: (1) obtain parental consent (or student consent if the student is 18 or over); or (2) ensure that the disclosure meets one of FERPA’s exceptions to the written consent requirement or constitutes the release of “directory information.” The Department notes that the “school official” exception may be applicable for certain disclosures.
The Department also recommends various best practices to schools and school districts when using online educational resources, such as:
- Maintain awareness of other relevant federal, state, tribal or local laws, including the Children’s Online Privacy and Protection Act.
- Be aware of which online educational services are currently being used in your district.
- Have policies and procedures to evaluate and approve proposed online educational services.
- When possible, use a written contract or legal agreement between the school and the online educational resource provider.
- Use caution and take extra steps before accepting “Click-Wrap” licenses for consumer apps.
- Be transparent with parents and students.
- Consider whether parental consent is appropriate in certain circumstances.