Vendor 101
Vendor 101: The Why?
There are many areas of consideration under the various laws on how educational entities and marketplace providers access, manage and move learner data. Here is a snapshot of the critical ones.
CIPA: Children’s Internet Privacy Act
Internet filters for K–12 schools and libraries to protect children from harmful online content as a condition for federal funding.
PPRA: Protection of Pupils Rights Amendment
Requires parental consent for any surveys that contain political, sexual, mental state, relationships, religious information
COPPA: Children’s’ Online Privacy & Protection Act
Requires operators of websites or online services for children under 13 that they are collecting personal information
HIPAA: Health Insurance Portability & Accountability Act
Usually HIPAA does not apply because information by definition is part of “education records” under FERPA and, therefore, is not subject to the HIPAA
FERPA: Family Educational Rights & Privacy Act (1974)
Schools must have written permission to release any information but allows schools to disclose under certain conditions
State: Legislation as well as Local Statutes and Regulations
40 states have passed 125 student privacy laws since 2013 laws
FERPA
Family Educational Rights & Privacy Act (1974)
Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31).
Education Agencies must adhere to the 1974 FERPA Law. It outlines how entities must protect student data, ownership and even data exchange rules – way before digital tools were in use!
FERPA Exceptions
But like many laws, there are “FERPA exceptions”. The major exception schools use to contract software services (because most cannot develop their own) is the Schools Official Exemption – meaning vendors.
Actually, the wording is: Performs an institutional service or function for which the school or district would otherwise use its own employees;
Other schools to which a student is transferring;
Specified officials for audit or evaluation purposes;
Appropriate parties in connection with financial aid to
a student;
Organizations conducting certain studies for or on behalf of the school;
Accrediting organizations;
To comply with a judicial order or lawfully issued subpoena;
State and local authorities, within a juvenile justice system, pursuant to specific State law.
Appropriate officials in cases of health and safety emergencies;
School officials with legitimate educational interest;
Student Privacy Laws
School officials with legitimate educational interest should enter into Data Privacy Agreements (DPA) which should cover;
- Security and Data Stewardship Provisions.
- Collection Provisions.
- Data Use, Retention, Disclosure, and Destruction Provisions.
- Data Access Provisions.
- Modification, Duration, and Termination Provisions.
Schools, and not vendors, are held accountable under FERPA so they must obtain Data Privacy Agreements with Vendors covering what can and cannot be done with the data.
The Privacy Challenge...
Now that you know why schools need a Data Privacy Agreement (DPA) as part of their Terms of Service (TOS) conversations – Why is it so hard?
Do The Math!
- 13,000+ US Public School Districts
- The Average US School Has Anywhere Between 400 and 1,000 Applications
- 85% of Them Have Less Than 5,000 students – Many CIO’s Teach Daily!
- “Freeware” or ”Freemium” Products Are Exploding!
…with limited resources on all sides…