Vendor 101

Vendor 101: The Why?

There are many areas of consideration under the various laws on how educational entities and marketplace providers access, manage and move learner data.  Here is a snapshot of the critical ones.

CIPA:  Children’s Internet Privacy Act

Internet filters for K–12 schools and libraries to protect children from harmful online content as a condition for federal funding.

PPRA:  Protection of Pupils Rights Amendment

Requires parental consent for any surveys that contain political, sexual, mental state, relationships, religious  information

COPPA:  Children’s’ Online Privacy & Protection Act

Requires operators of websites or online services for children under 13 that they are collecting personal information

HIPAA:  Health Insurance Portability & Accountability Act

Usually HIPAA does not apply because information by definition is part of  “education records” under FERPA and, therefore, is not subject to the HIPAA

FERPA:  Family Educational Rights & Privacy Act (1974)

Schools must have written permission to release any information but allows schools to disclose under certain conditions

State:  Legislation as well as Local Statutes and Regulations

40 states have passed 125 student privacy laws since 2013 laws


Family Educational Rights & Privacy Act (1974)

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31).

Education Agencies must adhere to the 1974 FERPA Law.  It outlines how entities must protect student data, ownership and even data exchange rules – way before digital tools were in use!

FERPA Exceptions

But like many laws, there are “FERPA exceptions”. The major exception schools use to contract software services (because most cannot develop their own) is the Schools Official Exemption – meaning vendors. 

Actually, the wording is: Performs an institutional service or function for which the school or district would otherwise use its own employees;

Other schools to which a student is transferring;

Specified officials for audit or evaluation purposes;

Appropriate parties in connection with financial aid to a student;

Organizations conducting certain studies for or on behalf of the school;

Accrediting organizations;

To comply with a judicial order or lawfully issued subpoena;

State and local authorities, within a juvenile justice system, pursuant to specific State law.

Appropriate officials in cases of health and safety emergencies;

School officials with legitimate educational interest;

Student Privacy Laws

School officials with legitimate educational interest should enter into Data Privacy Agreements (DPA) which should cover;

Schools, and not vendors, are held accountable under FERPA so they must obtain Data Privacy Agreements with Vendors covering what can and cannot be done with the data.

The Privacy Challenge...

Now that you know why schools need a Data Privacy Agreement (DPA) as part of their Terms of Service (TOS) conversations – Why is it so hard?

Do The Math!

…with limited resources on all sides…