Though the Children’s Online Privacy and Protection Act (COPPA) was implemented in 2000, a 1974 law paved the way for kids’ privacy online.
The Family Education Rights and Privacy Act (FERPA) came first and dealt primarily with paper gradebooks and report cards then. How times change.
Today, FERPA holds the line in multiple ways. Not only does the regulation give families rights to access their children’s data, but it also provides guidance for what schools need to do to protect children’s data—whether it’s kept in paper files onsite or hosted files in the cloud. And as edtech providers build solutions for schools, FERPA provides the foundation for any decision dealing with student data.
Vendor accountability ✔️
Since schools are custodians of children’s data, the buck stops with the superintendent and school board. This means school districts must choose an edtech vendor with superior security strategy. What does that look like? There are two parallel security rails that keep student data safe in a student information system (SIS).The first is FERPA’s language about “legitimate educational interest.” The way an SIS manages who can see which student matters. This may be permissions-based, which means certain roles will have less access in the software. From a security standpoint, this tactic supports least privilege: only the minimum necessary rights are granted to each user, creating higher levels of security in the system overall.
See how SIS systems use role- and task-based permissions to keep data secure >>
Next, it’s crucial that each edtech vendor have a deep and rich repository of authentication tools, including multi-factor authentication (MFA) and single sign on. But it’s perhaps even more important to have the right attitude about keeping data safe and each user’s responsibility to prevent exposing credentials to a cybercriminal.
Educator training ✔️
It’s up to each school district to defend whether an educator has a legitimate educational interest and therefore can view a student’s data. So in practice, limiting access to student data may result in pushback.After all, legitimate interest may exist, but an SIS system cannot be reasoned with to accept one-off cases. What can teams do to manage the real needs of educators and create a secure AND reasonable, FERPA-compliant approach to sharing data?
Just like edtech vendors, this is a double-winged approach. First, educators can understand student data in its repository role: that is, the data is kept safe and secure (whether that’s an onsite data center or a cloud-hosted approach) until it is needed.
Next, educators can own their roles in staying FERPA-compliant with complete administrative support. On occasion an educator is asked by families to share student data, but far more common is the review of student data by professional learning communities (PLC). This analysis helps educators determine their efficacy, crowdsource ideas from other professionals, and create detailed strategies for student progress. It’s important! It’s equally important to maintain student privacy.
That’s why the practice of FERPA first can inform how educators share information amongst each other, whether in software or via printouts and screenshots. If teachers choose to print and capture, those reproductions are covered under FERPA, too.
Educators are targeted by criminals spoofing edtech software providers. Being empowered to protect the network by being critical of email requests and aware of phishing scams can help your district stay FERPA compliant.
See how to take your crew on a phishing trip >>
Safe kids online ✔️
Another obstacle for FERPA compliance? The kids themselves.Students who are digital natives do not automatically understand good boundaries of data stewardship, but you can bet they can navigate a device quickly. This can be a recipe for disaster.
The good news is educators and edtech vendors are well aware students can pose a threat to data security. Students can infiltrate secure systems using stolen or guessed passwords, so educators can create a strong passphrase and use MFA, reporting any unexpected prompts for credentials to IT. Students can stumble upon printed data, so educators can secure, destroy, or redact the information they export from edtech systems.
For an act pre-dating the widespread use of technology, FERPA does some pretty outstanding things to keep K12 data safe in cyberspace. Whether it’s written, typed, calculated using grading software, or otherwise introduced into an edtech system, the right attitude about protecting student data matters. FERPA matters.
WHAT'S NEXT FOR YOUR EDTECH? The right combo of tools & support retains staff and serves students better. We'd love to help. Visit skyward.com/get-started to learn more.
|
Erin Werra Blogger, Researcher, and Edvocate |
Erin Werra is a content writer and strategist at Skyward’s Advancing K12 blog. Her writing about K12 edtech, data, security, social-emotional learning, and leadership has appeared in THE Journal, District Administration, eSchool News, and more. She enjoys puzzling over details to make K12 edtech info accessible for all. Outside of edtech, she’s waxing poetic about motherhood, personality traits, and self-growth.
