As schools are preparing students to learn and utilize 21st century skills, it’s natural that students and their teachers are using more and more resources online. As a result, student information is being placed into information and learning management systems that are online.
Not only is there a legal obligation to protect student data through federal legislation like FERPA and many similar state laws, treating student data with respect is just the right thing to do. So, what could happen if a system was accessed by someone without approval (whether by stealing login information or hacking a system)? That data could be used for:
- Creating contact lists for email scams or targeted advertising
- Finding addresses and other contact info for family members
- Changing a student’s grades
- Viewing personal information meant to be private, such as learning and physical disabilities, or even medications
(For further reference, see this article on Why Data Security Measures Matter.)
What is FERPA?
As stated at the Family Compliance Office, the “Family Educational Rights and Privacy Act” (FERPA) is a federal law that affords parents the right to have access to their children’s Education Records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the Education Records.
When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.”
FERPA describes in section §99.35 (a) (2) that those authorized to view student data need to protect the personally identifiable information from further disclosures or other uses. School staff should implement reasonable safeguards to protect student data. Most districts outline these in their Acceptable Usage Policies relative to using technology resources.
What are some reasonable safeguards that teachers, principals, and other district leaders can begin to follow today to help protect student data?
1. Talk to your technology department first
If you want to use an application that collects student data (even if it’s just their name), make sure you check with your Technology Department. They may have already reviewed the application’s data privacy policies (and they will want to, if they haven’t). They may even have an alternative (and maybe better) application to meet your needs that they have already reviewed and support.
2. Don’t put a student’s personally identifiable information in email
Personally identifiable information is data that could identify the particular student with little effort. Sharing this information in an email is not secure since there is no control over where the email ends up or who can access it (think about emails on phones). However, sometimes a school staff member needs assistance in using an online application and needs to use email to send a student’s identification number to troubleshoot an issue. (Note: A student identification number is a random number assigned by either the state or the district and is not the social security number.)
Be sure to check with district policy. Because a student’s school identification number is generally considered directory information and by itself cannot be used to access any other information, it alone could be placed in an email (if district policy allows). Otherwise, be sure to send student data either via secure help system or secure file transfer (SFTP) site. This includes attaching documents and screenshots—none of those should be in an email if they contain student data.
3. Don’t hoard or overshare data
Only retain downloaded data for the time necessary to do the job at hand—delete your “Downloads” folder contents regularly! Also, don’t leave student data lying around or publicly discuss student records with others unless they have a “Legitimate Educational Interest” in the information. To put it simply, Legitimate Educational Interest is student information you need to know to fulfill your job responsibilities.
4. Only use demo data for training purposes
Training is essential and, at times, includes student data. If several schools from a single district are in the room, actual district student data should only be shown with district administration permission—and even then, only if it’s necessary for the training task at hand. Examples may be those in the room are on a school improvement team, interventional specialists, district administrators, curriculum staff. Otherwise, use demo or fake student data (or refer to the next safeguard).
5. Blur that data
When creating handouts and presentations, use demo data for screenshots whenever possible. But if live data must be used, obscure the data using a graphical editing tool that cannot be removed or undone (such as a blurring tool).
6. Protect the laptop
Keep laptops, smartphones, and tablets password protected and locked when not in use. For a Mac, use iCloud’s “Find my Mac” or similar tools in order to find and possibly retrieve a stolen or lost device. Be sure to check with your technology department on how to enable encryption on laptops as well. Also, use passcodes on mobile devices (tablets and phones), especially if that device is used to access student information.
Illuminate Education takes student data privacy seriously. We’re proud to have joined over 300 companies who are committed to student data privacy by joining the Student Privacy Pledge to safeguard student data. The pledge can be found here
Here is a list of resources if you’d like more information:
- Educator’s Guide to Student Data Privacy – Put out by FERPA SHERPA, this guide is meant to help teachers use technology in the classroom while protecting student data.
- Parent’s Guide to Student Data Privacy – Also put out by FERPA SHERPA, this guide helps parents understand various laws around student data privacy.
- U.S. Department of Education – Protecting Student Privacy resource provided by the US Department of Education.
- 21st Century Learning Framework – This outlines the 21st Century skills necessary for students to succeed.
Disclaimer: The information in this blog is intended for general information purposes only and is based on the cited resources and field experience. The information presented is not legal advice, is not intended as such, and is subject to change without notice. Please consult with an attorney before before making any determinations regarding compliance with local, state, and federal law.
Illuminate Education is a provider of educational technology and services offering innovative data, assessment and student information solutions. Serving K-12 schools, our cloud-based software and services currently assist more than 1,600 school districts in promoting student achievement and success.
Ready to discover your one-stop shop for your district’s educational needs? Let’s talk.