Student Data Privacy

Data and Privacy GearThe use of technology to provide high quality instruction provides vast opportunities for personalized learning. However, districts need to balance instructional needs with privacy protections. This webpage and the data governance webpage serves as a resource for how districts can support best practices at the school level to protect the confidentiality of student data. School districts need to consider federal and state laws, state and local school board policies, parental expectations, student instructional needs, and the current available resources when developing privacy guidelines and procedures.

This webpage and the data governance webpage provide details on the following information:

  • Federal & State Privacy Laws – the legal requirements that must be considered when developing privacy programs
  • Data Governance – the interrelationships of data governance, security, and privacy programs
  • District Roles and Responsibilities the roles and responsibilities of various entities in protecting the confidentiality of student data
  • Student Data Professional Development programs considerations for effective staff professional development

It is important for districts to know they are responsible for establishing and supporting effective data governance, data privacy and data security programs in addition to compliance with laws and regulations. Providing these programs can also better facilitate effective and innovative instructional practices which are necessary in today’s school environments.

FEDERAL AND STATE PRIVACY LAWS

6 main federal and state laws for privacy

FERPA At A Glance

  • Originally passed in 1974 and has been amended several times
  • All schools that receive federal funds are subject to the requirements of FERPA
  • The Privacy Technical Assistance Center (PTAC) was established by the U.S. DOE to provide resources
  • Provides opportunity for parents and students 18 and over to review student education records
  • Prohibits schools from disclosing personally identifiable information (PII) from a student’s records
  • Requires districts to notify students and parents each of their FERPA rights

 

Personally Identifiable information (PII) for FERPA includes but is not limited to:

Name of a student or their family members Place of Birth
Address or Geolocation information of a student or their family members Mothers maiden name
Social Security numbers Other online contact information like screen names
Student ID numbers Telephone numbers
Email Address Student’s Date of Birth

4 Common exceptions to FERPA

There are allowable exceptions (shown below) which allow districts to use reasonable methods to ensure that any third party that receives student information uses the data for district authorized purposes only. It also requires that the third party destroy all of the data once the data is no longer needed for the purpose which it was shared. Districts should be sure to put these agreements in place before they begin the sharing of student data. The NDE offers membership to its Student Data Privacy Consortium for each Nebraska school district for assistance with these agreements.

  1. School official exception – allows districts to share PII to designated school officials with legitimate interest
  2. Studied exception – allows disclosure of PII to third parties that conducting studies on behalf of educational agencies or institutions
  3. Audit or evaluation exception – allows disclosure of PII to authorized representatives of federal, state and local education authorities for audit of support educational programs
  4. Directory information exception – allows certain PII to be disclosed without parent or eligible student (18 and over) consent if they have notified parents what information is designated as directory information

For more detailed information about FERPA exceptions see the FERPA Exceptions Summary at the PTAC website or click the link below to download the PDF:

PTAC FERPA Exception Summary PDF Link

COPPA At A Glance

  • COPPA is administered and enforced the Federal Trade Commission (FTC).
  • The law protects children under the of 13 who use websites, online games and mobile applications
  • The vendor is responsible for following the law but, districts have an obligation to oversee the vendors use
  • Districts need to be sure an agreement is in place with third party vendors on the use of the data

 

Personally Identifiable information (PII) for COPPA includes but is not limited to:

First and last name Social security number
Physical address, including street name and city Persistent identifier used to recognize a user over time
Online contact information Photographs, video or audio files
Screen name or user names Geolocation information
Telephone numbers Parent information collected from student online

 

CIPA At A Glance

  • Enacted by Congress in 2000
  • Tied to E-rate funding for school and libraries
  • Schools and libraries must have an Internet safety policy that includes protective measures like filters
  • Must block pictures that are obscene, considered child pornography or harmful to minors
  • Provide education to minors on proper online behavior, social networking interactions and cyberbullying

 

More information about CIPA can be found on the FCC website or this PDF.

PPRA At A Glance

  • Regulates collecting student’s personal information on certain sensitive topics (see details below)
  • Parents must be able to see any instructional or survey material used with their children
  • Parents have the right to withhold their child from participating

 

Generally there are 8 protected areas:

Political affiliation or beliefs of student or parents Critical appraisals of people student has family relationships with
Mental or psychological problems Legally recognized relationships, like attorneys, doctors and ministers
Sex behaviors and attitudes Religious practices, affiliations or beliefs of student or parents
Illegal, anti-social, self-incriminating or demeaning behavior Income (other than required by law for eligibility of program or financial assistance)

 

More details can be found on PPRA at the FerpaSherpa website.

HIPAA At A Glance

  • Enacted in 1996
  • Protects the confidentiality and security of healthcare information
  • HIPAA rarely applies to K – 12 schools because most school collected records are considered education records bound by FERPA instead

 

More guidance on HIPAA as it relates to FERPA can be found in this PDF.

State Guidance At A Glance

  • NE state statutes related to Student Data Privacy are: 79-2,104 79 -318
  • Board policy for these statutes is summarized in Rule 6

 

Quick link to Rule 6 document

Updated May 19, 2020 1:41pm