Student data privacy has been a hot topic in the last year or so and is only expected to gain momentum as educational services, websites, and mobile apps infiltrate classrooms everywhere, with students of all ages from elementary grades to university levels.
As new bills, laws and legislation get passed, it's becoming crucially important for businesses developing student-focused websites and mobile apps to stay up to date with legal requirements and make sure that their Terms of Service agreements reflect an appropriate level of student data privacy.
Student data privacy is governed by a number of different laws such as the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and the Children's Online Privacy Protection Act (COPPA).
Recently, the Department of Education released a PDF report that provides guidance on what schools and educational parties should look for and consider when reading the Terms of Service agreement of any website or app that they sign up with that will be connected in any way with the personal data of students.
We'll highlight the main points that should be taken from the report and applied to the Terms of Service agreement of your website/mobile app if you're developing a website or app that will be used by students.
Highlight 1 - Cover a broad range of data
A business can collect a broad range of data, such as metadata and user content, but which and what data is collected must be disclosed.
Any limiting language in the definition of data is a red flag for educators. Avoided doing this when drafting your own legal agreement
Explicitly list what is considered data, but add a clause that other related informational pieces can be also included under data. Cover as much as possible and leave room for interpretation that something in question would be considered data rather than not be considered data.
Highlight 2 - Don't leave out de-identified data
De-identified data is personal information data that has had all personal attributes removed. All that's left is data that can be used for general purposes such as website statistics or app statistics.
While de-identified data is not covered by privacy statutes, you should be aware that true de-identification is difficult, and that the possibility of re-identification is always something to be concerned about.
Include disclosures in your Terms of Service agreement that prohibits attempts at re-identifying data, and also spells out exactly what information is removed from the collected data before it can be considered de-identified.
This will help make sure that third parties can't obtain collected student data in a partially de-identified state and then re-identify the data.
Highlight 3 - No marketing or advertising
Don't allow student data to be used for marketing and advertising purposes. This is an absolute violation of student privacy.
Make sure the Terms of Service agreement you create makes this clear for any schools that will sign-up.
If you are a business designing a website or mobile app for student use, remember that you cannot use the student data in any way for any sort of marketing or advertising. Make it clear in your legal agreements that you won't be doing this.
Highlight 4 - Modification of terms should be limited
Legal agreements, such as Terms of Service agreements, for apps or websites used by students, should not be updated without, at a minimum, notice given to the school that the terms in the legal agreements will be changing.
Ideally, consent should be given by the school that it is acceptable to change terms before anything is changed.
Highlight 5 - Limit data collection
Data collection should be limited to what's necessary for your website or mobile app and to what's explicitly mentioned in your legal agreement.
Any third party data collection loopholes should be watched for and not accepted. Because student data is so legally protected, only the minimal amount of data should be collected in all cases.
Highlight 6 - Limit data use
Data use should be limited to exactly what has been outlined in your Terms of Service agreement and nothing else.
State in your legal agreement that the school will maintain control over student data that is protected under FERPA.
Highlight 7 - Prohibit most data mining
To avoid a possible FERPA or PPRA violation, make sure that any data mining that must occur is used solely for the functions of your website or mobile app (such as spam or virus detection or personalization purposes.)
Remember, student personal data can never be used for advertising or marketing purposes.
Highlight 8 - Data sharing must be limited and consented to
In your Terms of Service agreement, mention that data sharing with any third party without written consent of the educational client is prohibited.
Anything else leaves student data vulnerable to being transferred to other parties or vendors and is a potential violation of FERPA.
Highlight 9 - Data destruction
It's a best practice to include a clause that allows for all student data to be destroyed or transferred to the educational client at the end of the contract term between the educational client and the website/mobile app.
This is just a good way to finalize what will happen with the data at the end of the service and leave no questions as to what is acceptable behavior.
Highlight 10 - Keep rights and licenses with educational client
Inform schools, in your Terms of Service agreement, that all intellectual property rights remain with the school or the district, except those expressly specified in your agreement.
Mention that you, as the business operating the website or mobile app, are granted a limited license to fulfill duties as specified in the agreement.
No trade or sell rights should be transferred away from the educational client and this should be made clear.
Highlight 11 - Give open access
Under FERPA, schools must make all education records for students available to parents.
This means that at any time and upon request a school must have access to the student data stored on the website or mobile app.
Putting this language in your Terms of Service agreement ensures that no issues will arise that will create an FERPA violation.
Highlight 12 - Keep data safe
Security controls and risk management must be in place on your website or mobile app in order to keep private student data safe and secure from malware, hackers or abusive users.
Create your Terms of Service agreement in such way to include outlined safeguards on keeping data safe, as well as a plan for what will occur if data is actually or potentially compromised.
Highlight 13 - Give minors an eraser
If minors actually do use your website or mobile app, or potentially may use it, you must provide a way for the minors to remove information they post. This is the "Online Eraser" law.
You must notify your minor users that they are able to remove content they post and later wish to have removed, and give them clear instructions on how to go about removing the content.
The Student Online Personal Information Protection Act (SOPIPA) is taking effect in January 2016, and is the most restrictive privacy requirement to date when it comes to what a business can use student personal data for.
SOPIPA applies to websites or mobile apps that collect data from K-12th-grade students who are located in California.
Your business can be based anywhere, but if any student data your business interacts with comes from a student based in California, you will fall under the scope of SOPIPA.
Under SOPIPA, student data includes:
- Any information about a K-12 student that a parent or student provides to you for school purposes
- Information that a K-12 school or agent of the school, district or local education office provides to you
- Information that you collect yourself through your website or mobile app that would easily be able to describe or identify a student.
Information can mean anything from name and address information to class rosters, test results, photos, medical records, or anything that could be used to identify a student.
Under SOPIPA, student data is very limited in how it can be shared and used. Basically, student data can only be used for educational purposes and absolutely not for marketing or advertising purposes, for sale or profit, or to create data profiles of the students.
While this law has yet to take effect and guidance on compliance is non-existent, there are a few things you can do to prepare for required compliance:
- Maintain security procedures over the student data you currently collect.
- If your data is already minimally collected, kept secure, and not used inappropriately you will have an easy time transitioning under SOPIPA if the law applies to you.