In today's data-driven world, protecting student data is a foundational requirement of all school districts and the people working in them. Student data privacy obligations and good information security practices are critical to mitigating data breach risks and reaping the benefits of a data-driven instructional program that promotes student success. So what is Student Data and what are the laws that govern and enforce student data policies?
First, as CoSN (Consortium for School Networking) defines it, student data is:
“any student information that is protected under applicable federal or state privacy
law, including information that identifies, relates to, describes, could reasonably
be associated with or could reasonably be linked, directly or indirectly, with an
individual student. Student Data is also referred to as personally identifiable
student data or student personal information.” (Siegl & Leichty, 2023)
In last month's post, we tackled the ins and outs of PPRA (Protection of Pupil Rights Amendment), originally established in 1978. This month our focus is on an even older federal act that is still pertinent and perhaps even stronger today, FERPA (Family Educational Rights and Privacy Act, 1974). Like PPRA, FERPA compliance is enforced by the US Department of Education. FERPA provides parents and students age 18 and above with rights to:
- inspect and correct or amend certain information in the Education Record
- provide prior consent to release information
- opt-out of publishing certain information
An acronym often discussed when considering Student Data Privacy is PII or Personal Identifiable Information. This type of data includes, but is not limited to, information that could identify a student, such as their name, address, social security number, or other personal identifiers. It also includes any other information that, when combined, could be used to identify a specific student. Additionally, it covers information requested by someone who is believed to know the identity of the student in question to whom the education record relates. PII is the first important aspect when it comes to complying with FERPA. The other main areas of FERPA include: Education Records, Directory Information, and De-Identified Data.
Education Records
Education Records are materials that are "maintained by an educational agency or institution or by a party acting for the agency or institution," and that contain information directly related to the student (Siegl & Leichty, 2023). It might help educators to understand what is NOT an educational record in order to distinguish what IS an Educational Record. The following are NOT considered Education Records:
- Records kept by the person who made them that
are used only as a “personal memory aid” and not
disclosed to anyone, except a temporary substitute
- Records maintained by an educational agency’s law
enforcement unit
- Employee records made in the normal course of business that pertain only to the
individual’s employment and that are not used for any other purpose
- Records created about a student age 18 or older or who is attending a postsecondary
education institution by professionals such as a physician, psychiatrist, psychologist or
other recognized professional or paraprofessional acting or assisting in that capacity for
treatment of the student; this information can only be disclosed to those who provide
the treatment
- Records that an educational agency created or received after the student stopped
attending the institution and that are not directly related to the individual’s attendance
as a student
- Grades on peer-reviewed papers before they are collected and recorded by a teacher
The Department of Health and Human Services and the Department of Education have established joint guidance on the intersection of HIPAA and FERPA. According to these two entities, they have come to the consensus that "At the elementary or secondary level, a student's health records, including immunization records...as well as records maintained by a school nurse, are education records subject to FERPA" (Siegl & Leichty, 2023).
Directory Information
Each year, as a part of our Online Registration process in Infinite Campus, parents are given the opportunity to OPT OUT of sharing their information in the School Directory. Directory Information is a type of Education Record that can be released without causing harm or violating privacy. However, the specific details that fall under Directory Information vary from school system to school system. Examples of Directory Information may include a student's name, contact information, birthdate, academic information, and participation in extracurricular activities. Directory information may not include a social security number. It may also not include a student ID that may be used to gain access to Education Records with additional information known to the individual.
Classifying certain data elements as Directory Information allows School Systems to conduct some fundamental and often-expected practices, such as publishing team rosters, the program for the school play, or the student yearbook, without first obtaining prior written consent from
the parent or eligible student. The Definitions section lists the types of information that a School System may choose to
designate as “Directory Information.”
As noted by the DOE, each School System must:
- Define what it considers to be Directory Information, consistent with the requirements
and limitations on that information as set forth in FERPA.
- Provide public notice of the types of information which they have designated as
Directory Information.
- Give parents or eligible students the right to opt out of having their personal information
classified as Directory Information, effectively opting them out of disclosure of that
information under the Directory Information exception.
There are several other exceptions that school districts are allowed to claim in FERPA Directory Information, but these are the most important.
De-Identified Data
The Department of Education expects that records and information are considered "de-identified" after, removing all personally identifiable information and carefully considering any other available information, and it has been determined that the student cannot be identified. This determination has been made after one or multiple instances of releasing information. When all personally identifiable information has been removed
and "a reasonable determination has been made that a
student is not personally identifiable, whether through
single or multiple releases of information and taking into
account other reasonably available information" (Siegl & Leichty, 2023).
Here is a great guide to explain data de-identification: