The Family Educational Rights and Privacy Act (FERPA), introduced in 1974, is a US federal law which protects the privacy of student records. The act gives parents of students or students at least 18 years of age the ability to access educational records, to seek to have records amended, and to control the disclosure of educational records.
With many exceptions, a school must have written consent in order to release information concerning personally identifiable information (PII). However, a school may release student records to the following without parental or student consent:
- School officials with legitimate educational interest*
- Schools to which a student is transferring
- Parties in connection to a student's financial aid
- To officials for the purpose of an audit
- Organization conducting studies on behalf of the school
- State and local authorities
In 2008, the definition of "school official" was expanded to anyone who "performs an institutional service or function for which the agency or institution would otherwise use employees". This change was introduced to accommodate the growing trend of using third-party vendors to maintain student data. The amendment to FERPA also states that schools still must be able to directly control data that is hosted by a vendor and that contracts with vendors must indicate that student data may only be used for legitimate purposes.
Students or parents are allowed to contact the Department of Education about possibly FERPA violations. The Department of Education will then investigate the claims and determine if a violation has occurred. If one has, then the school will be directed to fix the infraction. If a school refuses, the Department of Education may withhold federal funding.
What does this mean for EdTech companies?
Legally speaking, schools are entirely responsible for FERPA compliance. While a company may be able to be sued for a breach of contract with a school if they were to improperly share a student's records, they themselves cannot be federally sued for FERPA violations. Of course, schools are much less likely to work with vendors that cannot certify that student data is safeguarded. Ensuring that student records may only be accessed securely by the appropriate parties should be one of the cornerstones of educational software.
The private industry has tried to quell the worries of federal and state lawmakers by supporting industry-led initiatives to safeguard student data and privacy. For example, almost 400 companies have signed the Student Privacy Pledge (an initiative from the Future of Privacy Forum and the Software & Information Industry Association). Companies who sign the pledge promise to only use student data for purposes that are explicitly agreed to by the schools they work with. Additionally, industry certification organizations, such as iKeepSafe, provide certification for software that complies with various state and federal laws, including FERPA.
Does FERPA matter?
Keeping student data safe and ensuring that schools, parents, and students can appropriately make FERPA requests is a key responsibility of any EdTech vendor. However, let's briefly explore what actually happens when someone brings forth a case concerning a possible FERPA infraction.
As previously mentioned, a school that refuses to address FERPA violations can have federal funding withheld from the Department of Education. This has never happened.
In a 2002 Supreme Court case, Gonzaga University v. Doe, the court found that FERPA did not grant any personal rights to enforce the provisions. This means that even though a FERPA violation may have been committed, there is no legal recourse for a student or parent to sue a school for FERPA violations. The Department of Education is the sole decision maker when it comes to punishing a school for FERPA infractions.
That being said, FERPA and safeguarding student privacy do certainly matter. FERPA does provide the legal framework for how contracts should be written between vendors and schools. As stated earlier, vendors can be sued for breaches of contract or for misleading statements if student PII is inappropriately used. So while your company may not directly be on the hook for a FERPA violation, you still may be sued under other grounds.
The Future of FERPA
There have been attempts at both the state and federal levels to give FERPA more teeth. Some lawmakers have even proposed levying fines against vendors that release PII in a way that violates FERPA. With the increasing scrutiny that companies are facing concerning user privacy, it wouldn't be a surprise if lawmakers or federal agencies started to clampdown on student data.
The EdTech industry does try to police itself and advocates for vendors to adopt modern security practices and standardize methods to securely transmit student data. Educational software developers should try to stay ahead of the curve by ensuring that the student data they maintain and transmit is secure using the most up-to-date security standards and practices.