Too Much Access: The FERPA Compliance Gap#Data
Advancing K12 Staff
by Advancing K12 StaffRead time:
The SIS helps districts stay organized, provides educators with access to important information, and facilitates the collection and sharing of data mandated by state and federal agencies. However, as many districts have found out, if you don't follow the strict guidelines put in place for the safety of your students, you can quickly find yourself in hot water.
As more state-mandated audit failures are made public, the most commonly cited error is allowing school staff with “no legitimate educational interest” in a particular student to view that student's information.
In short, if your teachers, coaches, and support staff can log in to your SIS and view every student in a given school (or any number of students that are not assigned to them during the time period in question), your security configurations are probably not compliant with FERPA.
What "Legitimate Educational Interest" MeansLet's start with the basics. The relevant clause in FERPA permits school officials to access a student's personally identifiable information if they have a legitimate educational interest in that information. Since this clause is so broad and can be interpreted a number of different ways, districts are required to clarify both terms in an annual notification of FERPA rights to their students and families.
In general, the term "school official" in a K-12 district will apply to instructors, administrators, health staff, counselors, attorneys, clerical staff, committee members, disciplinary boards, and individuals that the school has outsourced services to. As for "legitimate educational interest," the requirement would generally include any school official who needs to review a student's record "in order to fulfill his or her professional responsibility."
What You Can Do to Remain CompliantGiven the (relatively loose) framework, it's important to note that FERPA still puts the burden on school districts to protect educational records against unauthorized access. Because of this, the number one practice we recommend to districts is to limit access to student data to the minimal amount of information required by school officials to do their jobs, and only during the specific timeframe in which a need for access can be justified.
This is often an unpopular practice, necessary as it may be. I've spoken to CTOs who have received backlash from their teachers in districts that had become accustomed to universal access and the ability to "peek in" on former students or those who have not yet crossed their paths. The best defense for leadership teams is usually a good offense – take an opportunity to proactively hammer home the importance of FERPA and how it applies to district staff at all levels. Most will understand the prioritization of compliance over convenience, even if they're not initially happy about it.
The "Role" of Technology ProvidersAs a starting point, any security configurations and account management strategies associated with your SIS should be role-based. This approach will limit the visibility of data to only what is essential for any individual to fulfill his or her responsibilities. Role-based security also cuts down on the amount of manual tinkering you'll need to do when new employees are added or someone moves to a new position/location within the district.
You also have a right to expect transparency from your vendors. Privacy and security, aside from being moral imperatives, are also good business. Ask your providers to be clear about how much access they have to your data and what were the root causes of any historical breaches on their system. The only way to prevent history from repeating itself is to learn from the mistakes others have made in the past.
|Advancing K12 Staff Edtech Thought Leaders|