EdPolicy -FERPA, Privacy Policy for Educators, Schools, Districts, Administration, Students & Families

40 min readJun 17, 2020

Policy Education: A multi-faceted look at Education privacy in the Digital Transformation?

EdPolicy -FERPA, Privacy Policy for Educators, Schools, Districts, Administration, Students & Families Policy Education: A multi-faceted look at Education privacy in the Digital Transformation?

Disclaimer: This is offered for educational purposes only. I study law, I am not an Attorney; this article shall not construe any legal, financial, nor investment advice.

INTRODUCTION

FERPA, short for the Family and Educational Rights Privacy Act., 34 CFR §99.3; 20 U.S.C. § 1232g et seq., and has had multiple amendments thereof. [1][2] It is important for educators and parents alike to understand FERPA, in that it relates to any educational institution/agency/state agency that receives federal funding. Further, in some cases, teachers may inadvertently waive parental rights without realizing they are doing such. In most cases, FERPA requires consent of a parent or eligible student, unless there is “legitimate educational interests.” 20 USC §1232(g)(b)(1)(A). As always, the law is full of nuances, therefore, there are some exceptions to the law as stated. To begin with, we will focus on the meaning of the bolded terms below. In subsequent articles, we will address other facets of the law and policy. The terms in bold are the most relevant to general education in light of COVID-19, and are imperative to dissect. These laws impact us all, as it is critical we all understand the rights of privacy and the ethics surrounding data.

Privacy a 100 Year Old Debate

As an Education & Technology policy writer and researcher working within the emerging technology sector, I have studied a great deal on privacy. [42][43] The intersection thereof collides with the multiple divergent stakeholders within both fields. Likely, these collisions occur behind the scenes. in ways that were not fully disclosed, nor even moderately understood. [40] Per a 2013, Fordham Law Center report, 95% of District use cloud services, yet,

“Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.” [41]

Footnote 37

Yet, as educators and parents, we must protect our children. They possess greater privacy rights than adults. Failed data aggregation project that personalize learning, e.g., the Gates’ foundation InBloom, shone a spotlight into the critical lack of understanding all stakeholders within education possess. [40][42][43] With this in mind, I consider education privacy policy and adherence thereof, the canary in the proverbial coal mine, or should you prefer the dystopian analogy, the slippery slope to surveillance capitalism. We are at a critical juncture. If we do not educate the masses, and do so “swiftly,” soon, it will be too late, the canary will be dead,and we will have lost our last chance to exert a fundamental right to privacy. The dichotomous nature of privacy and convenience has misled many. This debate began long ago, with the notable text from Warren & Brandeis, 1890, The Right to Privacy, the very foundation of privacy law. 4 Harv. L. Rev. 193 (1890–1891) [12]. Ironically, this debate is as controversial and full of false rhetoric today, as it was in 1890. I realize that privacy may not be on your top 10 list, but I ask you to reconsider this given the following.

With respect to FERPA, professionals have lost their jobs, School Districts have been embroiled in intense, costly litigation, and both parents and States have filed suits. What could this mean to you as an Educator, parent/family, eligible student, or administrator? Read on as we explore the intersection of education and privacy, an exciting journey with more twists and turns than many novels.

Given this is the first article of many to educate on Education law and policy, I explain the general vocabulary and why you may see differing citations or terms. Feel free to skip if you are a legal eagle. I was quite confused in the beginning of my studies by the CFR, FR, & USC. I did not find a good source to explain, so I added this section for your reference. I refer to this as Fluffy. A nod to what else? Teaching! [15]

Legal Research: ‘Fluffy’ Overview: Law, Legal Reference, & Authority: USC, FR, & CFR?

There are some general characteristics of all laws and three readily cited sources. Each law has a name, in this case: Family and Rights Privacy Act of 1974, (FERPA) and a number in this case: Pub. L. 93–380, title V, Sec 513, Aug. 21, 1974, 88 Stat. 571, from Congress. The law is then codified into the United States Code, in this case: 20 U.S.C. 1232g, which is divided into 54 Subject Titles, since laws may span across multiple subjects. It can be very difficult to find all the pieces. Therefore, one uses the “short title.” In FERPA, see 20 U.S.C. 1221 note, to begin the scavenger hunt.[3][11]

The law, passed by the Legislature, also needs to be regulated through an Administrative Agency (Executive Branch), in this case, the U.S. Dept. of Education promulgates or creates the regulations needed to enact the law (Separation of powers). These regulations are published in the Code of Federal Regulations (CFR), which is why each law will have a coordinating CFR citation. Regulations must be consistent with the USC /passed law as they have the same enforcement as law. The CFR is published annually in a title-based schedule. As regulations are published daily, they are available within the Federal Register (FR), prior to the CFR. [10]

Terms Discussed : FR | USC | CFR

FERPA OVERVIEW

FERPA 20 U.S.C. § 1232g(a) et seq., states in pertinent parts,

“Conditions for availability of funds to educational agencies or institutions; inspection and review of education records; specific information to be made available; procedure for access to education records; reasonableness of time for such access; hearings; written explanations by parents; definitions”

Given this article is for your reference, each section has a quick summary of the terms to break up the dense content and facilitate your understanding. Each mini section has its own section break for simplicity. Think of these as a “word bank” of critical competencies. First, we discuss how Federal funds are related to privacy. Then, we define an education record and look at the types of data that EdTech has introduced, which muddy the waters. The aggregation thereof is causing ethical dilemmas as schools continue the march towards surveillance states. [37][42][38]

Parents, and in some cases eligible students, herein after, (Parents) have several rights to their child’s data: Access, Inspection, Review, Amendment, Hearing, & Disclosure. By not taking proper care of student data, including understanding exactly where the data is stored, who has access, if the storage is outsourced, where it resides, what protocols are in place, and who owns said data. [41] [38] [39] Schools may unintentionally violate the law. [39][19] Put another way, many schools are betting their Federal funding on EdTech vendors whose due diligence may be a wildcard, or worse. Case in point: Zoom. [43] FERPA is frequently confounded by several pitfalls, two of the largest are big tech big problems and the dynamic family structure that introduces new ethical dilemmas. However, have no fear, by following the best practices from the resources and experts, educators will properly understand the types of data and the importance of compliance, plus families will be able to informatively advocate for their rights with insight. FERPA has several applications; however, we will only touch on topics as it relates to topics that surround E-learning and COVID-19, subsequent articles will address additional facets.

Terms Discussed: FERPA

Federal Funds

First, it may seem odd to discuss federal funding given that education is a state right. The roots of such funding is the first topic of interest in FERPA, as any institution who does not comply with such cannot accept Federal funding. Earlier I alluded to this by noting that many Districts are betting the farm on wildcard vendors. Federal funding first appeared during the Elementary and Secondary Education Act (ESEA) of 1965. [7] Traces can be found earlier, but the incorporation of K-12 Federal funding is largely due to President Lyndon Johnson, who ironically began his career as an Educator. [6] One program that most Educators know well and is still in use today is Title I. [13] Federal funds are only one of the three elements of the school funding formulas. The State also provides funding, as do local property tax levies.

20 U.S.C. § 1232(g)(a)(1)(A)

“No funds shall be made available under a applicable program to any educational agency or institution which has a policy of denying, or which effectively prevents, the parents of students who are or have been in attendance at a school of such agency or at such institution, as the case may be, the right to inspect and review the education records of their children…” [1]

Federal Funding to Schools: Mechanism Explained

While Education is a State funded program, some funding may come from Federal sources, e.g., Federal Financial Aid (Title IV) or Title I monies.[7][13] The Free and Reduced School Lunch Program is another example of same from the USDA. [4] In a nutshell, schools are allotted federal funding when they meet certain criteria, e.g. ESSA.[5] [7]This is usually done with one of two mechanisms afforded to the legislature in the US Constitution, i.e., the Tax & Spend Clause, Article I Section 8 Clause 1, or the Interstate Commerce Clause, Article I, Section 8 Clause 3, to facilitate the flow of Federal funds into schools.[5][21]

In the event that a State feels that the Federal Government has overreached, by making the conditions too cumbersome, or “coercive” the Supreme Court (SCOTUS) will provide the final word on Constitutionality. [6][17] The majority of funding provided is done so under Federal block program grants under the Tax & Spend Clause, although the Interstate Commerce Clause is also invoked at times, i.e., the Gun Free Schools Act, which was contested on the overreach grounds[18][44] SCOTUS answered this question in US v. Lopez (1995), the case is beyond the scope here. [18] However, if the “Gun Free Schools Act” resonates, it is likely due to its profound failure where Kindergartners were suspended for Princess bubble guns and the law was too broadly applied to minority students fueling racial tensions and the “School to Prison Pipeline.” In sum, “Zero Tolerance yields zero common sense,” and is never a good policy choice. [46][47][48][50][51][52]

Clearly, with the importance of Federal funding to Education, understanding the mandates within FERPA is imperative to both the fiduciary duty to taxpayers and also what I term the fiduciary duty to students. Next, we explore the rights of parents and students with respect to Educational Records, we will begin by defining what constitutes same. [27][38][39][40]

Terms Discussed: Federal Funding | Tax & Spend Clause | Commerce Clause

Educational Records

In 20 USC 1232g (a)(4)( A) the critical term “educational records” is defined with two criteria, (i) “Directly related” and (ii) “Maintained by an educational agency or institution.”

**We will skip section (B) as this discusses omissions of (i) Supervisory (ii) Law enforcement; (iii) Employees; and (iv) Eligible students with respect to medical records, which are not covered under HIPAA, beyond the scope here. [27]

FERPA centers around “educational records,” but in today’s digital society, what constitutes an “educational record?” Anything that contains “direct information of a student” and is “maintained by an agency or institution,” e.g., school, district, institution, or agency, is an education record. As you can see this includes a diverse amount of data. Offering further guidance, the Department of Education provides the following examples: emails referencing a student from any party (redaction may be needed), student work, class lists, grades, transcripts, student disciplinary files, statements in the cumulative file, emails, voice recordings, video surveillance, digitized records, reports, data, documents, all of which can be considered educational records. [8]

FERPA was originally enacted in 1974, therefore, there may be some confusion on what is defined as a record. [27] Herein lies the issue, as records do not need to be confined to academics, but rather span into a vast menagerie of data points. Further, when operators fail to comply with data collected, they may be subject to COPPA and/or other data privacy laws in addition to FERPA. [49][27] Whereas, when Districts fail to comply they may lose Federal funding, the right to share educational records with the tawdry party for a period of five years or both as outlined below, any relief afforded is dependent upon facts and circumstances. Currently, there is no standing for FERPA, which relates to damages. This is beyond the scope here, but will be addressed in subsequent articles. [27]

As noted above, there are several ways to understand the law and policy that surrounds education. Moreover, word choice is critical to careful drafting. Each time we dive into a law/policy, we need to understand what is meant by the terminology, which may differ from the lay definition. Below are definitions from the relevant authority, the USC and CFR, followed by application from a Practitioner, Mr. Rooker, Former Director of the Family Policy & Compliance Office, the regulatory body who investigates complaints. Mr. Rooker opines on the fundamental importance of digitized data and responsibility thereof. [19]

The Law, 20 U.S.C. § 1232g et seq., defines educational records (4)(A),

“For the purposes of this section, the term “education records” means, except as may be provided otherwise in subparagraph (B), those records, files, documents, and other materials which — (i)contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.” FERPA, 20 U.S.C. § 1232g(a)(4)(A).

34 CFR 99.3, further notes, the following on “educational records.”

“Record means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” 34 CFR § 99.3

Expert Note: Family Policy & Compliance Office Practitioner

With law and policy, it is always best to turn to an expert. Mr. LeRoy Rooker, served 21 years at the U.S. Dept. of Education Family Policy Compliance Office, his biography notes he is “the nation’s leading expert on the Family Educational Rights and Privacy Act (FERPA).” In 2018, he was quoted in an Edsurge article, where he warns on the perils of third party Data providers and their impact on our professional duties in our ubiquitous world of Data. [19] As Mr. Rooker cites,

“[U]nder FERPA, schools are responsible for what their vendors do with data. That means that if a vendor intentionally or accidentally misuses students’ education records, the school would still be at fault….Carefully screening vendors to make sure they are FERPA compliant can help, says Rooker.”

“Among the questions they should ask are how the vendor gives parents and students access to records, and how it prevents unauthorized people from accessing those records.” [19]

Mr. Rooker’s next point more deeply discusses this issue as it relates to apps, software, and technology or Ed tech, which highlight the surrounding concern of late with vendors e.g., Zoom Voice Communications and Google, plus other large technology companies. [41][42] Of particular note is the “free” vendors. Id.

“Schools should also be careful with online vendors such as apps and websites that offer free services, Rooker adds. Those services might appear free on the surface, but the vendors could be ‘getting paid in education records,’ or mining the data to sell to third-parties, another violation.” Id.

A very similar scenario is alleged in the violations in the suits against both Zoom Voice Communications and Google. Each of which are discussed in subsequent articles. Another FERPA professional, Steven McDonald, a FERPA expert & General Counsel at the Rhode Island School of Design, offers the following insight, as also quoted in EdSurge where he expounds on “free tech.” Id.

Footnote 43

Rooker continues,

“’Free’ vendors, he explains, might not cost money, but their business model typically entails data mining, which is not allowed under FERPA.
To stay compliant, schools should understand exactly what vendors are doing with their data. ‘It should be clear that [the data] belongs to the school, not to the vendor, and that the vendor’s responsibility is to process it for the benefit of the school and its students, and not for the vendor’s own benefit,’ McDonald says.” Id.

Data is an all encompassing term. It is with this in mind that we turn to nuances of sensitive data, Personally Identifiable Information (PII), and Biometrics.

Redaction to Prevent Double Trouble: When a Record Contains Information on More Than 1 Student,

In the event that a record is applicable to more than one student, redaction may be needed. This is discussed in 20 USC 1232g (a)(1)(A)

“ If any material or document in the education record of a student includes information on more than one student, the parents of one of such students shall have the right to inspect and review only such part of such material or document as relates to such student or to be informed of the specific information contained in such part of such material.” [27]

Data is an all encompassing term. It is with this in mind that we turn to nuances of sensitive data, Personally Identifiable Information (PII), and Biometrics.

DATA, Sensitivity Test: PII & Biometrics, Oh, My!

Just as technology has changed the forms of data, so to has it changed the definition of sensitivity, from Personally Identifiable Information (PII) and Biometric Data, we collect vast amounts of data on our students. It is CRITICAL to understand what we are collecting along with all the aforementioned questions surrounding storage, access, and ownership. We touch on Biometric data briefly here, yet it is more fully explored in subsequent articles at the intersection of surveillance and discipline. [52]

The definition of sensitivity can have several permutations as the laws of each jurisdiction are applied. Below we explore the Federal definition, and with respect to biometrics, an Illinois law is applied to better demonstrate that sensitivity is a dynamic algorithm of law and the law is still emerging as evidenced by the recent settlement of the landmark 2015, case against Facebook Inc., citing Illinois Biometric Privacy Act (BIPA) Patel v. Facebook, Inc., №18–15982 (9th Cir. 2019). Moreover, in January Congress held its third hearing on surveillance and Facial Recognition. [23][24]

Surveillance will become a highly controversial issue within Education as more families, students, districts, schools, and policymakers, learn the extent to which it has been carried out, in some cases, inadvertently. [25][53][52]In others as noted by the extensive body of advocacy groups who have signed a letter to Florida Governor DeSantis, the practice is anything but. [52]

Committee on Government Oversight & Reform Facial Recognition January 15, 2020

PII: Direct & Indirect

PII is a special type of Data. In this context we will use the federal definition. Yet, with 50 different state jurisdictions, the lack of a standardized terminology adds flame to the fires of privacy law.

The Department of Education offers the following guidance

“Personally identifiable information for education records is a FERPA term referring to identifiable information that is maintained in education records and includes direct identifiers, such as a student’s name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.” [20][27]

34 CFR 99.3 defines Personally Identifiable Information, as the following:

“The term includes, but is not limited to — (a) The student’s name;(b) The name of the student’s parent or other family members; ( c) The address of the student or student’s family; (d) A personal identifier, such as the student’s social security number, student number, or biometric record; (e) Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; (f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or (g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.” [2] [20]Authority: 20 U.S.C. 1232g [1][27]

20 U.S.C. 1232 g, clearly defines PII as:

“[P]ersonally identifiable information,” means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting” 20 U.S.C. 1232g [1][27]

Biometrics

The Department of education has delineated this particular data point as biometric,

“FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting.” [28]

Biometric data is a particular type of data, which is innately unique and would be impossible to replace. Further, this data is widely collected in schools, yet may not be properly recorded/codified as such.

A note of caution: Amazon Alexa, Google Assistant, Siri, Surveillance videos, classroom photos, fingerprints for fun, handwriting samples, and other similar data are considered biometric. While definition exists, the extent to which this data resides in schools may be vastly underestimated and should remain a point of caution for any legal compliance team as the law is further interpreted via judicial opinion. [24]

Terms Discussed: PII | Biometric | Inspection |Data mining | Data Security Data Privacy

Dissenting Opinion: Time, Inspection, Amendment, & Hearing

In addition to access, parents also have the right to inspect and review all educational records discussed above. In the event a parent is not within commuting distance, schools must facilitate a process for the parent to exercise this right and ensure that parents whom request such, receive a copy of all of the ‘educational records,’ or an agreeable arrangement is made. Schools are also required to provide a response to any question or dispute raised. 20 USC 1232g(a)(1)(A)(B) [27]

Brimful of [Access] on the 45: Inspection, & Review

Moreover, the law also stipulates the right to amendment for inaccurate information, a hearing when a dispute exists, and further remedy. While this law protects data, the legislative intent was to provide parents complete and transparent access to the vast amounts of data that a school or its vendors collect to ensure accuracy of such data. Schools that deny any of the above, risk losing their Federal funding. Generally, schools have 45 days to execute such a request. Of note is that differing jurisdictions may have a less generous deadline to produce such, offering even greater reason to follow the best data practices noted below. 20 USC 1232g(a)(1)(A)(B). [27]

“(A) No funds shall be made available under any applicable program to any educational agency or institution which has a policy of denying, or which effectively prevents, the parents of students who are or have been in attendance at a school of such agency or at such institution, as the case may be, the right to inspect and review the education records of their children…Each educational agency or institution shall establish appropriate procedures for the granting of a request by parents for access to the education records of their children within a reasonable period of time, but in no case more than forty-five days after the request has been made.”
“(B) No funds under any applicable program shall be made available to any State educational agency…that has a policy of denying, or effectively prevents, the parents of students the right to inspect and review the education records maintained by the State educational agency …”

While Districts may charge for physical copies, they may not charge for execution of the process. In our society of electronic data, it is best practice for written records to be scanned into the educational record for completeness. Therefore, electronic records should be the norm for appropriate audit. This also facilitates aggregation when requested. Amid COVID-19 and institutional closures, there may be reasonable deviations from same. However, legal counsel should always be consulted. The CFR offers more particulars as is usually the case. In addition to the data, an audit log must accompany same. Anyone accessing the students data, must be listed with the proper exemption, i.e., “legitimate educational purpose,” including their title and rationale. This log would be a good use of a “Blockchain or distributed ledger technology,” for efficacy.

Amendment, Hearing, & Destruction

In the event a parent has a question, the school must give the parent an explanation, and if the parent is not in agreement, the school shall offer procedures for a hearing, if after the hearing, there is still dispute, the parent may attach explanation to that portion thereof. Not all things are allowed to be disputed. Alas, it bears necessity to state that once, the parent requests records, the Institution may not dispose of or otherwise “destroy” any data as cited by 34 CFR 99.3 [1][27]

“b) The educational agency or institution, or SEA or its component, shall comply with a request for access to records within a reasonable period of time, but not more than 45 days after it has received the request.
( c ) The educational agency or institution, or SEA or its component, shall respond to reasonable requests for explanations and interpretations of the records.”
(d) If circumstances effectively prevent the parent or eligible student from exercising the right to inspect and review the student’s education records, the educational agency or institution, or SEA or its component, shall (1) Provide the parent or eligible student with a copy of the records requested; or (2) Make other arrangements for the parent or eligible student to inspect and review the requested records.
(e) The educational agency or institution, or SEA or its component, shall not destroy any education records if there is an outstanding request to inspect and review the records under this section. 20 U.S.C. 1232g(a)(1)(A)and (B))”

Terms Discussed: Inspection |Review | Amendment | Hearing |Destruction

Disclosure, Legitimate Educational Interest, Directory, Enforcement, & Audit

Prior to disclosure of student data, the law mandates that parents must authorize such, unless one of two exemptions are present.

1. The Educational Official Exemption; and

2. Directory Information.

Each comes with its own criteria for compliance. It is of the utmost importance that The details of storage, security, access, and ownership should be properly addressed through any third party vendor contract. At times, EdTech companies may require data in order to “provide services.” [37] Though in other cases, tech companies, after regulatory probe, and prompted by advocacy initiatives, finally admits that they have broken this promise of fair data collection. One such example is noted in the initial complaint of New Mexico v. Google, whereas Google claims that they only collect the required information, yet in 2014, Google admitted they had in fact broken this promise and had a practice of scanning through student emails without a legitimate need to do such. [25] These faux pas become exceedingly important in the tech sector, e.g., Google boasts over 80 Million global users including Google Education and Chromebook users. [25] The ubiquitous data that is transacted daily across our nation’s schools/institutions, mandates that proper and compliant data collection, storage, access, security, and disposal is critical. While beyond the scope here, this is discussed in its entirety in subsequent articles [28][29][25][19]

(b) Release of education records; parental consent requirement; exceptions; compliance with judicial orders and subpoenas; audit and evaluation of federally-supported education programs; recordkeeping
(1) No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of education records (or personally identifiable information contained therein other than directory information, as defined in paragraph (5) of subsection (a) of this section) of students without the written consent of their parents to any individual, agency, or organization, other than to the following —
(A) other school officials, [or others] that have a, “legitimate educational interests…” [27][1]

FERPA not only allows parents to review, inspect, request correction of the student’s educational records, but also allows for the audit record to, and provide for a hearing or remedy, but also mandates schools create an audit log, which cites parties who have requested access and the “legitimate educational interest” of each.

Broken Promises:

“Each educational agency or institution shall maintain a record, kept with the education records of each student, which will indicate all individuals (other than those specified in paragraph (1)(A) of this subsection), agencies, or organizations which have requested or obtained access to a student’s education records maintained by such educational agency or institution, and which will indicate specifically the legitimate interest that each such person, agency, or organization has in obtaining this information.
Such record of access shall be available only to parents, to the school official and his assistants who are responsible for the custody of such records, and to persons or organizations authorized in, and under the conditions of, clauses (A) and (c ) of paragraph (1) as a means of auditing the operation of the system.”

Third Party Software, Apps, et al.

(B) With respect to this subsection, personal information shall only be transferred to a third party on the condition that such party will not permit any other party to have access to such information without the written consent of the parents of the student.

If a third party outside the educational agency or institution permits access to information in violation of paragraph (2)(A), or fails to destroy information in violation of paragraph (1)(F), the educational agency or institution shall be prohibited from permitting access to information from education records to that third party for a period of not less than five years.

FERPA is a federal law therefore, every state must follow FERPA as outlined above. However, each State has Educational laws and Privacy laws causing a permutation of clauses and conditions that may bear significance. One such example that will be discussed in future articles is the private entity of Illinois Biometric Information Privacy Act (BIPA) this relates to many conversations of surveillance, but is beyond the scope here. [23]

APPLICATION OF FERPA

Now that you understand FERPA, let’s dive deeply into why you are poised to change the Educational system, as outlined above. [27][1] Privacy is a fundamental right, this includes data privacy. Most districts have no idea what data is collected, stored, used, or wrongfully disclosed. [41][40][19]Some districts do not have any idea of what apps, software, hardware, IoT, or other devices are in use in classrooms within their domain, let alone the terms of service that may or may not be updated without notice. Id. Sometimes technology providers evade this via a concept is known as “click wrap.” Id. Unfortunately, as Mr. Rooker points out, the legal canon “ignorance is bliss” does not hold true. [19] Further, you now know that at a bare minimum, both Federal funding and interoperability may be lost if the data is misappropriated. Mr. Rooker points out other sanctions that may be assessed. In our application we will look at both Emerging Technology and Big Tech, then apply that to a hypothetical correlating that within our current school funding formulas, and finally address ethical dilemmas of the dynamic families that I repeatedly see overlooked due to the lack of awareness surrounding data privacy.

Emerging Tech Scales in Regulated Markets

How do these practices occur? Most of this is done covertly and not always intentionally, to begin with. The issue of emerging tech is a chicken and egg issue. As one builds a platform/company, mechanisms are put in place for limited scale, which may be good for some sectors that do not value privacy; however, when an emerging technology company crosses the enterprise line or attempts to disrupt a regulated industry, things can become messy without proper adherence to compliance. A few examples of such are healthcare, financial services, legal services, and capital markets. For whatever reason, most overlook the fact that Education is heavily regulated. [41] This is especially true with respect to data privacy, given the majority of users are one of the most protected classes of data citizens, CHILDREN. As these companies scale, they likely use sloppy architecture, as we saw with Zoom’s habitual privacy faux pas since pre-IPO, discussed in the Glenn Fleishman’s, summary of Zoom’s history, along with the two EPIC Privacy complaints, and the shareholder lawsuit filed against Zoom. [41][43][19][57] Much of this is beyond the scope here and is addressed in my article, Open Letter to 90K Educational Institutions, Please Do Not Use Zoom: Repeated flaw of privacy, security, & transparency are not in the best interest of our students.

Shareholder lawsuit field against Zoom for repeatedly failing to disclose privacy risks. Contains a summary history of events up to April 2020; see also [43]

Doc Searls who runs VRM project at Harvard’s Berkman Klein Center, for Internet and Society sums this up nicely as he explores the People v. AdTech. AdTech is the intersection of advertising and technology. He has also opined on Zoom in this respect. [55][56][58]

EdTech is not AdTech.

In conclusion, when using technology, cloud, edge, or other storage mechanisms, it is critical to understand how these technologies impact your industry. Technology by its very nature is esoteric, which only complicates matters.

Key terms: Regulated industry | Adtech

Big Tech, Big Problems -Applying FERPA: Zoom, Google & the Lure of Free Software

In cases such as ZOOM or Google, in depth analysis would depend upon the terms of service/terms of the contract.[25][19][43][ 58][57]In the case of ZOOM, at times, teachers have opted into the contract aside from their District.[19][43] As has become clear, Educational records from technology providers need to be in the control of the school in order to comply with FERPA, yet in some terms of service, when using the said service, one may only qualify for a copy by summoning the appropriate ‘data god’ (operator).[19][41][27] This does not comply with FERPA. Id. Further, it is imperative to do proper contract reconciliation and ensure careful drafting.[41][43] Due diligence is an enormous part of this reconciliation. As Mr. Rooker points out, it is on the Educational Institution to conduct appropriate due diligence on contract terms.[19][41] Wherein both ZOOM and Google, cases, the allegations point to practices contrary to the contracted terms, likely facts and circumstances will weigh heavily on if student data was breached and to what degree. [43][25][41][42][57][71]

A good read for anyone looking to better understand what the state of data security is in schools. Document notes for article are included. [59]

Regardless, “free software” agreement, FERPA and other relevant law are still in full force.[27[1]

N.b. no parent may be denied access, inspection, nor the opportunity to correct improper data if the school accepts Federal funding.

Current School Funding Formulas Create Muddy Waters in School Funding: Would Data Breach Provide a “Special Purpose Vehicle,” to Address the Digital Divide & Clarify the Law?

One key takeaway is that it should come as no surprise technology companies maneuver through our patchwork of privacy law. This must be addressed. I discuss this in alternate articles, however, could these breaches in trust be leveraged to address the digital divide in other ways without the providers who are a party to these suits?[61][60] In accordance with FERPA, any party found to misappropriate student data would not be allowed to have access to student data for a period of up to five years generally speaking, I am sure there are loopholes here given the state of privacy law. [27][60] Could this open up a marketplace for true data privacy as a service in Education? Access of technology companies to student data including but not limited to their transparency in Education, or lack thereof, is another highly probable use of Blockchain to hold these conglomerates accountable. This could be as simple as a smart contract to verify compliance, discussed in subsequent articles.

Innovation: Education Funding & Technology

Education funding is the primary reason that many schools lack technology. In a letter from the U.S. Dept. of Education, this was addressed with respect to IDEA funding and assistive technology. [63] The embedded letter discusses this in more detail, however, this was 2017.

Education funding formulas. When teachers are questioned as to why there is not greater technology within the schools, the typical answer is funding. Yet, if these big tech companies are breaching our students data, per the damages requested in New Mexico v. Google, could damages be used to address the Digital Divide?[61] These are the creative solutions that may come of this and why we must create proper policy to address.

As I both advocate for parents/students, consult with schools on the importance of privacy and ed policy, study breaches, privacy, and technology practices from emerging tech to big FAANG: Facebook, Amazon, Apple, Netflix, & Google, I have encountered some facts of concern particularly in the last two years researching Google Education and “Chromebooks.” The costs that surround and the ultimate payer in such situation is not readily apparent as it is not clear who is paying and or what “grants” have been employed to finance such. I predict this will be a complicated question of law in that likely these big tech companies were given funds in some manner, I have begun filing Freedom of Information Act requests (FOIAs).

Lease, Payer, & Services?

There are certain provisions where taxpayers cannot be compensated within school funding formulas. If parents were required to pay for the “lease” of these machines as I have been told, or “maintenance” of these machines, per the inquiring parents, many are entirely out of date, and have disproportionate fees, who is the aggrieved party? Parents, Schools, Parent Teacher Organizations, or other non-profit entities? While the services are free, what significance that holds and the extent to which the schools had or did not have a choice with respect to technology, may also illuminate other regulatory schemas who may weigh in.

Data Valuation? A Hypothetical Argument

What if Tech received a taxable contribution write off, yet sold student data, the Board or other school entity paid for the technology in good faith with funds collected from their stakeholders, and later this practice was unraveled. The Tech company received a 5x return because of these five factors.

-Users for “life’ due to lack of interoperability and coercion of services

-Taxable contribution for their “kind donation.”

-Sale of data proceeds to other parties and for their own proprietary gain

-Edge over compliant peers unfairly

-Funds from schools as they ‘upsold’

The fifth question here is interesting: who paid? Does the ‘wrong’ change, if the party changes? In cases of charter schools, despite the taxpayer funding, there is not right to property as reported in the Washington Post. [65] Regardless of ultimate payer, the only way to stop this maleficence, which erodes our right to privacy, and costs us in tangible and non-tangible ways is to be vigilant to the practices of technology and understand the terms of service, and location, storage, access, and ownership of data.

I strongly advocate that unless educators, parents, and students, school boards, and policy makers hold these companies accountable, we will lose the little privacy our students have left. We must act to stop this behavior immediately. In the Documentary the Great Hack, it was noted that in 2018, data became a more valuable commodity than oil.[54][45] While that is up for debate, educators have a professional duty to protect students’ data regardless of value.

I suggest that parents make requests for data to each individual operator or school of their child’s data prior to, or at the age of 13. I also recommend for parents to request their child’s data archive under FERPA and examine it for accuracy. [27] [43][41] When most of us graduated, our transcripts served as the only data point, now students have a trove a data to contend with; it is imperative this data is properly protected to the fullest extent of the law. These students have an innate immunity to the predatory data practices that others do not, unfortunate as the law stands today. [71][70]

I earnestly hope that cases such as these become the “Big Tobacco.” of data privacy, in that any relief imposed actually deters, versus merely brushes the practice away. If any entity is found to have violated FERPA, the regulation as stated notes that the entity would not be allowed such for a period of at least 5 years. It is up to us as stakeholders of education and students’ right to privacy to contact our lawmakers and hold these companies accountable. We can only exact change by educating and advocating. INBloom was only the beginning, what if we had a situation of InBloom aggregation + Zoom Architecture & Google Adtech Privacy + Surveillance and expulsion using the surveillance and ubiquitous data that schools clearly do not understand. [27][63][61][19][25][38][66]

Ethical Dilemma as a Dangerous Cocktail: Disputes, Controversy, and Lack of Proactive Policy

One of the things I educate families, teachers, and school districts on, is a term known as toxic or hostile parenting.[29][35] In this example, one parent will use mechanisms that an institution such as the school may not be well aware of in order to either isolate the child or in extreme cases alienate the child against the parent. [2][5][34][32] Quite simply schools should not be placed in the midst of custody disputes.[30] However, many times they are. Just as there is mandatory child and abuse training, schools should become well-educated on the tactics that some litigants may resort to in order to achieve their misaligned objectives using the unsuspecting schools.[29][34][33]

FERPA Policy & Law Applied to Family Conflict

To answer this ethical dilemma we as educators must be guided by our core ethos, to behave in the best interests of our students.[36][230[33] The law guides us in this. Time is precious, records may be difficult to update, and once false data is imputed into a system it may be difficult to remedy due to siloed data. When I advocate for families who feel that they may have been victim of this, I first suggest that they invoke their FERPA rights and do so as expeditiously as possible, in accordance with the law, request a complete review of their child’s entire educational record, including but not limited to the audit record stating the “legitimate educational interest,” and all other educational records, because the law not only provides the ability to inspect, but also to review and request correction of false data.[36][6][30] Cases have surfaced where one parent stated false data, which unbeknownst to the other, improperly severed their rights, because the school took one parent’s word. This takes time to remedy. I strongly encourage schools prior to noting any data such as this into any “learning system” to consult their General Counsel as to appropriate documentation.

In many cases, the parent who leveraged the school was difficult to spot and said parent was highly involved. These parents may assert themselves as a caring parent who was abandoned by the other spouse, or make other comments that concern you. Please, do not let your relationship with the parent sway your legal duty. Id. Consult your General Counsel. As sad as it is, other parties within the case may attempt to complicate and leverage. In cases such as this, the duty of the school is clear with regards to privacy and records. Again, if there is not a Court Order contra, both parents are assumed to be custodial. Id.Perception is not always reality and just as with our students, there are usually two sides to each story.

As we discuss ethical dilemmas, this is an area that I have watched Districts and parents struggle with while children, caught in the crossfire, spiral downward. Therefore, I urge you, please use the utmost caution when you document custodial rights in a child’s record electronic, or otherwise. As it is the rebuttable presumption that both parents are custodial regardless of where they live unless you have a court order on file contra. While it may be a simple oversight and may seem insignificant, in the life of a child, who is isolated from a parent, Careful adherence to all State and federal law as a matter of policy, may save a child from this fate and may also save your District from a FCPO complaint under FERPA, which are lengthy and encompass Administrative law processes. As an aside, Court Orders are easily found online; they are public records, therefore, it is relatively easy to obtain in the event you have a concern. [30][36][35]31][29]

Terms Discussed: Parent|Ethical Dilemma| Toxic Parenting | Public records

Best Practices — What Can Schools Disclose?

1. Metadata- Is the underlying data within applications/software. There is significant discourse on whether or not some metadata is de-identifiable. This is beyond the scope here, but a note of caution is placed. as Institutions must ensure that “metadata is fully de-identified,” and has no way of containing PII. [74]

2. School Official Exemption. Many schools release Data to apps and services such as Google, but if that data was released under the School Official Exception, and that data is re-used in anyway that is not in the educational interest by meeting the criteria below, this is a violation. [66][19][41][43] As soon as schools become aware of this practice of any vendor, as Mr. Rooker notes, they have a duty. Schools should block the application and negotiate to obtain the student’s data back. It is their duty to protect as Mr. Rooker pointed out above. This is also highlighted in the PTAC guidelines. [19][75]

1. Performs an Institutional service that would normally be in house. (outsourced)
2. Meets the criteria set forth within the annual notice, “legitimate educational interest.”
3. Data remain in direct control of the Institution allowing compliance of FERPA.
4. Use Educational records for authorized purposes only. May not re-use, re-sell, or use for ANY other purpose unless specifically directed by a school and in compliance with FERPA. [27][75]

Taken from Fordham Law Study on Cloud Computing [41]

3. Directory Exemption. Other Schools may release the data under the Directory exemption, however, there criteria shall be followed (1) Must meet the terms of the disclosure in annual notice (2) Must have a chance to opt out. (3) Any student(s)’ who have opted out data cannot be released. [66]

Without Consent 2020 WithMarginNotes | Privacy | Information Privacy

My notes on the World Data Privacy Forum report. An analysis of student directory information practices in US schools…

www.scribd.com

Notes from the World Privacy Forum “Without Consent” Report [66]

4. Direct Control. Schools need to remain in direct control of student data. It is best practice to understand the data storage, security, and retention policies. It is recommended that schools have an pre-approved list of Click wrap-approved contractors, the “click if you agree,” box you must check in order to use the services contracted, i.e, software, application, drivers, or services.statement agreements. By doing such, the party, whether legally authorized or not, has entered into a contractual agreement. Ergo, a teacher may unknowingly enter into a contract that does not meet proper and compliant data protocol simply by clicking. The process for “free” apps should follow the same as paid purchase order requisitions to ensure appropriate safeguards of data privacy law and cybersecurity are executed. Id. [75]

“the framework under which the school or district uses the service must satisfy the “direct control” requirement by restricting the provider from using the Pll for unauthorized purposes.” Id.
“…[I]n practice, schools and districts wishing to outsource services will usually be able to establish direct control through a contract signed by both the school or district and the provider. In some cases, the “Terms of Service” (TOS) agreed to by the school or district, prior to using the online educational services, may contain all of the necessary legal provisions governing access, use, and protection of the data, and thus may be sufficient to legally bind the provider to terms that are consistent with these direct control requirements” Id.

5.Immediate Access. Regardless of the agreement, schools must be able to provide access to these within 45 days, though some states have shorter timelines.

“Schools and districts should ensure that their agreements with providers include provisions to allow for direct or indirect parental access…Thus, even when sharing PIl from education records under an exception to FERPA’s consent requirement, it is considered a best practice to adopt a comprehensive approach to protecting student privacy when using online educational records.” Id.

6.Centralized List/Audit Log/ Processes. All sources of student data should be in one list. This includes but is not limited to Applications used in class, software, accounts, hardware, IoT connected devices if individual student data is housed, including voice and biometric data. [41]

Review & Closing Thoughts

There has been a lot of new “data.” in this section, we will review a few key points. Particularly relevant to these unprecedented times of COVID-19.

Educational Records & Clear Communications. Given emails are considered part of the educational record, it is only proper that when you email a colleague and include a student data point, defined above including their name it is part of their educational record. Be professional, parents and students are privy to these. If you cite more than one student’s name in an email this will become part of both of the student’s records. Think before you type. Best practices may vary by jurisdiction, but should include keeping accurate records and staying apprised of all applicable law and policy, including federal, state, local, district, and in some cases, county to ensure communication and disclosure are both proper and compliant.

Parental Review: Schools must make adequate accommodations for parents to access, inspect, review, dispute, offer amendment, and even offer a hearing, or rebuttal thereof. Understand EACH technology service your District employs including ALL data sources. It is imperative to evaluate the terms of service contracted, including but not limited to, each vendors collection, storage, and access and ownership policies.

“Free Services.” While FERPA allows disclosure of some information for “legitimate educational purposes,” as it becomes known that multiple online services are selling data for non-educational purposes, i.e., potential profit, or in some egregious cases using a suboptimal encryption schematic, the application of FERPA at the intersection of access and disclosure will prove paramount.[41] We have a duty to protect our students from predatory practices of tech. Educators have a duty to protect students records, and parents have rights to ensure the records are accurate. While schools have the right to refuse amendment thereof, they do not have the right to refuse inspection among other rights mentioned above. Continuing on, there are provisions where if a parent’s amendment is not honored, they are allowed to attach a letter of rebuttal to the student’s educational record. [75][19]

As our schools are moving to data and surveillance, it is imperative we understand these rights. Apropos of students rights, in the New Mexico v. Google case, it is not only student records that are alleged to be under exploit, but rather there is a backend merge of personal and educational accounts that may be placing the private data of families, teachers, staff, and students at risk. Just as we seek to model proper cyber behavior for our students and our own children, we must protect student’s data from the predatory data practices that exist today.

Aside from students rights, in New Mexico v. Google, it is not only student records that are alleged to be under exploit, but rather through a contradictory practice of privacy by design, personal and educational accounts may be placing private data of families, teachers, staff, and students at risk. [25]

Privacy policies are imperative. While it may not be in your particular domain to understand every aspect of such, it is highly recommended that you rely on Counsel to guide you through. Each school and/or school board must have appropriate digital policy. Some examples that may be made even more difficult for districts to navigate in the digital age is a contested custody dispute, when one party has stated an alternate custodial arrangement than what the court Ordered. Generally, if you do not have a court Order citing custody is solely assigned to one parent, and you deny or restrict the role of a parent who does, in fact, have joint custody, ‘just to be safe,’ as the other parent has told you such, you may have just been inadvertently violated the law. It always best to see advice from your General Counsel.

In conclusion, by making yourself apprised of the law, creating careful policy in accordance with all applicable laws of jurisdiction, and adhering to your said policy without deviation, your District, school, and families will all understand the value placed on data storage retention, access, and disclosure. You will model digital citizenship and can both articulately educate and advocate this fundamental right.

Key Points:

Parental Rights: Access; Inspection; Review; Amendment; Hearing; Rebuttal

Disclosure: Legitimate educational interest; School official exemption; Notice

Educational Records: PII; Biometric; Storage; Access; Disclosure; Data

Violations: Vary by jurisdiction; Loss of Federal funding; Operator may not have access to data for a period of at least 5 years.

Highlighted Issues: Family conflict; Surveillance (bullying/discipline/suspension/expulsion); Data privacy; Vendor due diligence; Digital divide; Cloud computing

Have questions, comments, or a story to share? My DMs are open.

I coach follow, research,and write on the multi-faceted need for responsible, compliant innovation in education within schools, the workplace, and beyond. You can find me on Twitter LulaEducate or on the web at Lulaco.io, or LulaEducate.com for Edpolicy issues and advocacy.

Have additional information, or a story to share? I am an MLAW student studying Education, data privacy, & cyber law. I follow, write, and research on the intersections of all of these, including the salient need for education, especially on the elements of compliance and privacy. Responsible technology will revolutionize education at every age, lack of compliance will destroy same.