Day 173 — A tech startup’s guide to FERPA
Earlier this year, I did a ton of work into building out the activities Invincible will need to be HIPAA Compliant. HIPAA helps regulate data privacy for doctors and 3rd parties that handle PHI, or personal health information.
But for working with schools, there is another regulation that governs data privacy: FERPA.
What is FERPA?
FERPA is a Federal law that protects personally identifiable information in students’ education records from unauthorized disclosure. It affords parents the right to:
- Access their child’s education records.
- Seek to have the records amended.
- Have some control over the disclosure of personally identifiable information from the education records.
But what does this mean, practically speaking? Today I investigated.
If you can afford it…I’m doing this investigation on my own because I’m trying to avoid paying for an expensive certification. But if you can afford it, many ed tech providers use the iKeepSafe Certification for FERPA and others — it will cost you $6,400 but with it you’ll get a review from iKeepSafe plus steps to remediate gaps.
But first…Why should you care?
First and foremost, if you’re working with schools and collecting student data, ensuring you are collecting and managing it properly is just the right thing to do. It will help you keep data secure and build trust with schools and families.
Plus, practically speaking, if you’re looking to get schools to adopt your solution, they’ll want to ensure you are FERPA compliant. Any school that receives federal funding must be in compliance with FERPA, which means almost all public schools.
What to do to be FERPA Compliant
Requirement 1 — Proper Disclosure
In my opinion, the biggest FERPA challenge to companies is managing parental disclosure. Basically, this means parents have a right to know what information a school is sharing about their child. Makes sense.
Where it gets slightly complicated is that there are 2 options to ensuring disclosure.
Disclosure Option 1 — Parental Permission
This is just what it sounds: the school gets permission from parents to disclose information to a 3rd party provider. Under FERPA, a school may not generally disclose personally identifiable information from an eligible student’s education records to a third party unless the eligible student has provided written consent.
While this ensures opt-in from families, the school likely has multiple/many technologies it is using to provide school services and this can become pretty cumbersome.
Disclosure Option 2 — School Official Exemption (most common)
To ease the burden of parental permission, FERPA allows for an exemption known as the “School Official Exemption.” When schools and districts outsource institutional services or functions, FERPA permits the disclosure of PII from education records to contractors, consultants, volunteers, or other third parties provided that the outside party:
- performs an institutional service or function for which the agency or institution would otherwise use employees;
- has been determined to meet the criteria set forth in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
- is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
- uses education records only for authorized purposes and may not re-disclose PII from education records to other parties, unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA.
When PII from education records is disclosed to the provider, FERPA still governs its use, and the school or district is responsible for its protection. PII from education records disclosed under FERPA’s school official exception to consent may only be used for the purposes authorized by the respective school or district.
What this means for you as the provider is that you need to work closely with the individual school district to ensure you qualify under this exemption; and, if you do, that the school district has control over the data and how it is used.
Requirement 2 — Access to Records
Under FERPA, a school must provide an eligible student with an opportunity to inspect and review his or her education records within 45 days following its receipt of a request. If you’re a modern technology provider, this most likely means managing data through a cloud provider and facilitating data access to school officials and/or parents.
Requirement 3 — Access to Amend Records
Under FERPA, an eligible student has the right to request that inaccurate or misleading information in his or her education records be amended. While a school is not required to amend education records in accordance with an eligible student’s request, the school is required to consider the request. For Invincible, we’ll most likely facilitate this via in-app editing to ease the requirements to manage record changes.
Requirement 4 — Annual Notification
Under FERPA, a school must annually notify eligible students in attendance of their rights under FERPA. While this is most likely to come from the school, it is a good best practice to get in the habit of.
Requirement 5 — Data Security (kind of)
This isn’t technically part of the FERPA Regulation, though ensuring the right set of technical and administrative safeguards are just table stakes for collecting student data.
Data under FERPA
FERPA is all about student data. It characterizes 3 main considerations for data:
Records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution.
- These records include, but are not limited to: transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records. It is important to note that any of these records maintained by a third party acting on behalf of a school or district are also considered education records.
Information designated by the school or district as directory information may be disclosed without consent and used without restriction in conformity with the policy, unless the parent/guardian or eligible student opts out. Examples of directory information about students include name, address, telephone number, email address, date and place of birth, grade level, sports participation, and honors or awards received.
Personally Identifiable Information
Data that could be used to identify a student and includes direct and indirect identifiers:
- Direct identifiers: Such as a student’s or other family member’s name)
- Indirect identifiers: Such as a student’s date of birth, place of birth, or mother’s maiden name).
I steal shamelessly, especially when it comes to big scary pieces of legislation like FERPA. Here are 2 companies that seem to be doing it well:
Here is a checklist I put together of activities to be FERPA Compliant.
- Post Terms of Service (model terms of service here).
- Create privacy help documentation (e.g., FERPA for schools inspiration).
- Create permission form template (inspiration) — in case you do not qualify under the “School Official Exemption”.
- When working with school: Ensure qualification for “School Official Exemption” OR receive parent permission to use Invincible
- Only collect minimal amount of information needed to complete responsibilities
- Ensure data security (including, security plan, breach procedures, and data destruction procedures)
- Provide access to education records to parents if requested (and ability to make changes if requested)