EdPolicy -FERPA, Privacy Policy for Educators, Schools, Districts, Administration, Students & Families

EdPolicy -FERPA, Privacy Policy for Educators, Schools, Districts, Administration, Students & Families Policy Education: A multi-faceted look at Education privacy in the Digital Transformation?


FERPA, short for the Family and Educational Rights Privacy Act., 34 CFR §99.3; 20 U.S.C. § 1232g et seq., and has had multiple amendments thereof. [1][2] It is important for educators and parents alike to understand FERPA, in that it relates to any educational institution/agency/state agency that receives federal funding. Further, in some cases, teachers may inadvertently waive parental rights without realizing they are doing such. In most cases, FERPA requires consent of a parent or eligible student, unless there is “legitimate educational interests.” 20 USC §1232(g)(b)(1)(A). As always, the law is full of nuances, therefore, there are some exceptions to the law as stated. To begin with, we will focus on the meaning of the bolded terms below. In subsequent articles, we will address other facets of the law and policy. The terms in bold are the most relevant to general education in light of COVID-19, and are imperative to dissect. These laws impact us all, as it is critical we all understand the rights of privacy and the ethics surrounding data.

Privacy a 100 Year Old Debate

As an Education & Technology policy writer and researcher working within the emerging technology sector, I have studied a great deal on privacy. [42][43] The intersection thereof collides with the multiple divergent stakeholders within both fields. Likely, these collisions occur behind the scenes. in ways that were not fully disclosed, nor even moderately understood. [40] Per a 2013, Fordham Law Center report, 95% of District use cloud services, yet,

“Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.” [41]

Footnote 37

With respect to FERPA, professionals have lost their jobs, School Districts have been embroiled in intense, costly litigation, and both parents and States have filed suits. What could this mean to you as an Educator, parent/family, eligible student, or administrator? Read on as we explore the intersection of education and privacy, an exciting journey with more twists and turns than many novels.

Given this is the first article of many to educate on Education law and policy, I explain the general vocabulary and why you may see differing citations or terms. Feel free to skip if you are a legal eagle. I was quite confused in the beginning of my studies by the CFR, FR, & USC. I did not find a good source to explain, so I added this section for your reference. I refer to this as Fluffy. A nod to what else? Teaching! [15]

Legal Research: ‘Fluffy’ Overview: Law, Legal Reference, & Authority: USC, FR, & CFR?

There are some general characteristics of all laws and three readily cited sources. Each law has a name, in this case: Family and Rights Privacy Act of 1974, (FERPA) and a number in this case: Pub. L. 93–380, title V, Sec 513, Aug. 21, 1974, 88 Stat. 571, from Congress. The law is then codified into the United States Code, in this case: 20 U.S.C. 1232g, which is divided into 54 Subject Titles, since laws may span across multiple subjects. It can be very difficult to find all the pieces. Therefore, one uses the “short title.” In FERPA, see 20 U.S.C. 1221 note, to begin the scavenger hunt.[3][11]


FERPA 20 U.S.C. § 1232g(a) et seq., states in pertinent parts,

Federal Funds

First, it may seem odd to discuss federal funding given that education is a state right. The roots of such funding is the first topic of interest in FERPA, as any institution who does not comply with such cannot accept Federal funding. Earlier I alluded to this by noting that many Districts are betting the farm on wildcard vendors. Federal funding first appeared during the Elementary and Secondary Education Act (ESEA) of 1965. [7] Traces can be found earlier, but the incorporation of K-12 Federal funding is largely due to President Lyndon Johnson, who ironically began his career as an Educator. [6] One program that most Educators know well and is still in use today is Title I. [13] Federal funds are only one of the three elements of the school funding formulas. The State also provides funding, as do local property tax levies.

Federal Funding to Schools: Mechanism Explained

While Education is a State funded program, some funding may come from Federal sources, e.g., Federal Financial Aid (Title IV) or Title I monies.[7][13] The Free and Reduced School Lunch Program is another example of same from the USDA. [4] In a nutshell, schools are allotted federal funding when they meet certain criteria, e.g. ESSA.[5] [7]This is usually done with one of two mechanisms afforded to the legislature in the US Constitution, i.e., the Tax & Spend Clause, Article I Section 8 Clause 1, or the Interstate Commerce Clause, Article I, Section 8 Clause 3, to facilitate the flow of Federal funds into schools.[5][21]

Educational Records

In 20 USC 1232g (a)(4)( A) the critical term “educational records” is defined with two criteria, (i) “Directly related” and (ii) “Maintained by an educational agency or institution.”

Expert Note: Family Policy & Compliance Office Practitioner

With law and policy, it is always best to turn to an expert. Mr. LeRoy Rooker, served 21 years at the U.S. Dept. of Education Family Policy Compliance Office, his biography notes he is “the nation’s leading expert on the Family Educational Rights and Privacy Act (FERPA).” In 2018, he was quoted in an Edsurge article, where he warns on the perils of third party Data providers and their impact on our professional duties in our ubiquitous world of Data. [19] As Mr. Rooker cites,

“Among the questions they should ask are how the vendor gives parents and students access to records, and how it prevents unauthorized people from accessing those records.” [19]

Mr. Rooker’s next point more deeply discusses this issue as it relates to apps, software, and technology or Ed tech, which highlight the surrounding concern of late with vendors e.g., Zoom Voice Communications and Google, plus other large technology companies. [41][42] Of particular note is the “free” vendors. Id.

“Schools should also be careful with online vendors such as apps and websites that offer free services, Rooker adds. Those services might appear free on the surface, but the vendors could be ‘getting paid in education records,’ or mining the data to sell to third-parties, another violation.” Id.

A very similar scenario is alleged in the violations in the suits against both Zoom Voice Communications and Google. Each of which are discussed in subsequent articles. Another FERPA professional, Steven McDonald, a FERPA expert & General Counsel at the Rhode Island School of Design, offers the following insight, as also quoted in EdSurge where he expounds on “free tech.” Id.

Footnote 43

Redaction to Prevent Double Trouble: When a Record Contains Information on More Than 1 Student,

In the event that a record is applicable to more than one student, redaction may be needed. This is discussed in 20 USC 1232g (a)(1)(A)

DATA, Sensitivity Test: PII & Biometrics, Oh, My!

Just as technology has changed the forms of data, so to has it changed the definition of sensitivity, from Personally Identifiable Information (PII) and Biometric Data, we collect vast amounts of data on our students. It is CRITICAL to understand what we are collecting along with all the aforementioned questions surrounding storage, access, and ownership. We touch on Biometric data briefly here, yet it is more fully explored in subsequent articles at the intersection of surveillance and discipline. [52]

Committee on Government Oversight & Reform Facial Recognition January 15, 2020

PII: Direct & Indirect

PII is a special type of Data. In this context we will use the federal definition. Yet, with 50 different state jurisdictions, the lack of a standardized terminology adds flame to the fires of privacy law.


The Department of education has delineated this particular data point as biometric,

Dissenting Opinion: Time, Inspection, Amendment, & Hearing

In addition to access, parents also have the right to inspect and review all educational records discussed above. In the event a parent is not within commuting distance, schools must facilitate a process for the parent to exercise this right and ensure that parents whom request such, receive a copy of all of the ‘educational records,’ or an agreeable arrangement is made. Schools are also required to provide a response to any question or dispute raised. 20 USC 1232g(a)(1)(A)(B) [27]

Brimful of [Access] on the 45: Inspection, & Review

Moreover, the law also stipulates the right to amendment for inaccurate information, a hearing when a dispute exists, and further remedy. While this law protects data, the legislative intent was to provide parents complete and transparent access to the vast amounts of data that a school or its vendors collect to ensure accuracy of such data. Schools that deny any of the above, risk losing their Federal funding. Generally, schools have 45 days to execute such a request. Of note is that differing jurisdictions may have a less generous deadline to produce such, offering even greater reason to follow the best data practices noted below. 20 USC 1232g(a)(1)(A)(B). [27]

Amendment, Hearing, & Destruction

In the event a parent has a question, the school must give the parent an explanation, and if the parent is not in agreement, the school shall offer procedures for a hearing, if after the hearing, there is still dispute, the parent may attach explanation to that portion thereof. Not all things are allowed to be disputed. Alas, it bears necessity to state that once, the parent requests records, the Institution may not dispose of or otherwise “destroy” any data as cited by 34 CFR 99.3 [1][27]

Disclosure, Legitimate Educational Interest, Directory, Enforcement, & Audit

Prior to disclosure of student data, the law mandates that parents must authorize such, unless one of two exemptions are present.

Broken Promises:

Third Party Software, Apps, et al.

(B) With respect to this subsection, personal information shall only be transferred to a third party on the condition that such party will not permit any other party to have access to such information without the written consent of the parents of the student.

If a third party outside the educational agency or institution permits access to information in violation of paragraph (2)(A), or fails to destroy information in violation of paragraph (1)(F), the educational agency or institution shall be prohibited from permitting access to information from education records to that third party for a period of not less than five years.

FERPA is a federal law therefore, every state must follow FERPA as outlined above. However, each State has Educational laws and Privacy laws causing a permutation of clauses and conditions that may bear significance. One such example that will be discussed in future articles is the private entity of Illinois Biometric Information Privacy Act (BIPA) this relates to many conversations of surveillance, but is beyond the scope here. [23]


Now that you understand FERPA, let’s dive deeply into why you are poised to change the Educational system, as outlined above. [27][1] Privacy is a fundamental right, this includes data privacy. Most districts have no idea what data is collected, stored, used, or wrongfully disclosed. [41][40][19]Some districts do not have any idea of what apps, software, hardware, IoT, or other devices are in use in classrooms within their domain, let alone the terms of service that may or may not be updated without notice. Id. Sometimes technology providers evade this via a concept is known as “click wrap.” Id. Unfortunately, as Mr. Rooker points out, the legal canon “ignorance is bliss” does not hold true. [19] Further, you now know that at a bare minimum, both Federal funding and interoperability may be lost if the data is misappropriated. Mr. Rooker points out other sanctions that may be assessed. In our application we will look at both Emerging Technology and Big Tech, then apply that to a hypothetical correlating that within our current school funding formulas, and finally address ethical dilemmas of the dynamic families that I repeatedly see overlooked due to the lack of awareness surrounding data privacy.

Emerging Tech Scales in Regulated Markets

How do these practices occur? Most of this is done covertly and not always intentionally, to begin with. The issue of emerging tech is a chicken and egg issue. As one builds a platform/company, mechanisms are put in place for limited scale, which may be good for some sectors that do not value privacy; however, when an emerging technology company crosses the enterprise line or attempts to disrupt a regulated industry, things can become messy without proper adherence to compliance. A few examples of such are healthcare, financial services, legal services, and capital markets. For whatever reason, most overlook the fact that Education is heavily regulated. [41] This is especially true with respect to data privacy, given the majority of users are one of the most protected classes of data citizens, CHILDREN. As these companies scale, they likely use sloppy architecture, as we saw with Zoom’s habitual privacy faux pas since pre-IPO, discussed in the Glenn Fleishman’s, summary of Zoom’s history, along with the two EPIC Privacy complaints, and the shareholder lawsuit filed against Zoom. [41][43][19][57] Much of this is beyond the scope here and is addressed in my article, Open Letter to 90K Educational Institutions, Please Do Not Use Zoom: Repeated flaw of privacy, security, & transparency are not in the best interest of our students.

Shareholder lawsuit field against Zoom for repeatedly failing to disclose privacy risks. Contains a summary history of events up to April 2020; see also [43]

EdTech is not AdTech.

In conclusion, when using technology, cloud, edge, or other storage mechanisms, it is critical to understand how these technologies impact your industry. Technology by its very nature is esoteric, which only complicates matters.

Big Tech, Big Problems -Applying FERPA: Zoom, Google & the Lure of Free Software

In cases such as ZOOM or Google, in depth analysis would depend upon the terms of service/terms of the contract.[25][19][43][ 58][57]In the case of ZOOM, at times, teachers have opted into the contract aside from their District.[19][43] As has become clear, Educational records from technology providers need to be in the control of the school in order to comply with FERPA, yet in some terms of service, when using the said service, one may only qualify for a copy by summoning the appropriate ‘data god’ (operator).[19][41][27] This does not comply with FERPA. Id. Further, it is imperative to do proper contract reconciliation and ensure careful drafting.[41][43] Due diligence is an enormous part of this reconciliation. As Mr. Rooker points out, it is on the Educational Institution to conduct appropriate due diligence on contract terms.[19][41] Wherein both ZOOM and Google, cases, the allegations point to practices contrary to the contracted terms, likely facts and circumstances will weigh heavily on if student data was breached and to what degree. [43][25][41][42][57][71]

A good read for anyone looking to better understand what the state of data security is in schools. Document notes for article are included. [59]

Current School Funding Formulas Create Muddy Waters in School Funding: Would Data Breach Provide a “Special Purpose Vehicle,” to Address the Digital Divide & Clarify the Law?

One key takeaway is that it should come as no surprise technology companies maneuver through our patchwork of privacy law. This must be addressed. I discuss this in alternate articles, however, could these breaches in trust be leveraged to address the digital divide in other ways without the providers who are a party to these suits?[61][60] In accordance with FERPA, any party found to misappropriate student data would not be allowed to have access to student data for a period of up to five years generally speaking, I am sure there are loopholes here given the state of privacy law. [27][60] Could this open up a marketplace for true data privacy as a service in Education? Access of technology companies to student data including but not limited to their transparency in Education, or lack thereof, is another highly probable use of Blockchain to hold these conglomerates accountable. This could be as simple as a smart contract to verify compliance, discussed in subsequent articles.

Innovation: Education Funding & Technology

Education funding is the primary reason that many schools lack technology. In a letter from the U.S. Dept. of Education, this was addressed with respect to IDEA funding and assistive technology. [63] The embedded letter discusses this in more detail, however, this was 2017.

Lease, Payer, & Services?

There are certain provisions where taxpayers cannot be compensated within school funding formulas. If parents were required to pay for the “lease” of these machines as I have been told, or “maintenance” of these machines, per the inquiring parents, many are entirely out of date, and have disproportionate fees, who is the aggrieved party? Parents, Schools, Parent Teacher Organizations, or other non-profit entities? While the services are free, what significance that holds and the extent to which the schools had or did not have a choice with respect to technology, may also illuminate other regulatory schemas who may weigh in.

Data Valuation? A Hypothetical Argument

What if Tech received a taxable contribution write off, yet sold student data, the Board or other school entity paid for the technology in good faith with funds collected from their stakeholders, and later this practice was unraveled. The Tech company received a 5x return because of these five factors.

Ethical Dilemma as a Dangerous Cocktail: Disputes, Controversy, and Lack of Proactive Policy

One of the things I educate families, teachers, and school districts on, is a term known as toxic or hostile parenting.[29][35] In this example, one parent will use mechanisms that an institution such as the school may not be well aware of in order to either isolate the child or in extreme cases alienate the child against the parent. [2][5][34][32] Quite simply schools should not be placed in the midst of custody disputes.[30] However, many times they are. Just as there is mandatory child and abuse training, schools should become well-educated on the tactics that some litigants may resort to in order to achieve their misaligned objectives using the unsuspecting schools.[29][34][33]

FERPA Policy & Law Applied to Family Conflict

To answer this ethical dilemma we as educators must be guided by our core ethos, to behave in the best interests of our students.[36][230[33] The law guides us in this. Time is precious, records may be difficult to update, and once false data is imputed into a system it may be difficult to remedy due to siloed data. When I advocate for families who feel that they may have been victim of this, I first suggest that they invoke their FERPA rights and do so as expeditiously as possible, in accordance with the law, request a complete review of their child’s entire educational record, including but not limited to the audit record stating the “legitimate educational interest,” and all other educational records, because the law not only provides the ability to inspect, but also to review and request correction of false data.[36][6][30] Cases have surfaced where one parent stated false data, which unbeknownst to the other, improperly severed their rights, because the school took one parent’s word. This takes time to remedy. I strongly encourage schools prior to noting any data such as this into any “learning system” to consult their General Counsel as to appropriate documentation.

Best Practices — What Can Schools Disclose?

1. Metadata- Is the underlying data within applications/software. There is significant discourse on whether or not some metadata is de-identifiable. This is beyond the scope here, but a note of caution is placed. as Institutions must ensure that “metadata is fully de-identified,” and has no way of containing PII. [74]

Taken from Fordham Law Study on Cloud Computing [41]
Notes from the World Privacy Forum “Without Consent” Report [66]

Review & Closing Thoughts

There has been a lot of new “data.” in this section, we will review a few key points. Particularly relevant to these unprecedented times of COVID-19.

Aside from students rights, in New Mexico v. Google, it is not only student records that are alleged to be under exploit, but rather through a contradictory practice of privacy by design, personal and educational accounts may be placing private data of families, teachers, staff, and students at risk. [25]

Privacy policies are imperative. While it may not be in your particular domain to understand every aspect of such, it is highly recommended that you rely on Counsel to guide you through. Each school and/or school board must have appropriate digital policy. Some examples that may be made even more difficult for districts to navigate in the digital age is a contested custody dispute, when one party has stated an alternate custodial arrangement than what the court Ordered. Generally, if you do not have a court Order citing custody is solely assigned to one parent, and you deny or restrict the role of a parent who does, in fact, have joint custody, ‘just to be safe,’ as the other parent has told you such, you may have just been inadvertently violated the law. It always best to see advice from your General Counsel.

Resources Consulted Clean Version

Resources Consulted Alternative View

Resources Consulted Direct Links

[1] https://www.govinfo.gov/app/details/CFR-2011-title34-vol1/CFR-2011-title34-vol1-sec99-3



Frmr. Dir. of Presentations, Athena.Trade | E Media Group | Educator|ADD/ADHD Coach |M.Ed. |Writer | MLAW |Founder of MinED & Lula & CO|Mom (14yo Gmer./Writer)

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jenny Balliet

Jenny Balliet

Frmr. Dir. of Presentations, Athena.Trade | E Media Group | Educator|ADD/ADHD Coach |M.Ed. |Writer | MLAW |Founder of MinED & Lula & CO|Mom (14yo Gmer./Writer)