What is FERPA?
What is FERPA?
The Family Educational Rights and Privacy Act, or FERPA, governs student privacy in educational settings. Under FERPA, student data may be collected only for limited, education-related purposes, and kept only for the period of time needed to fulfill the purpose for which the data was collected. It is not allowed to be commercialized.
FERPA was passed in 1974. While it has undergone amendments over time, it has remained virtually unchanged when it comes to protecting our children’s privacy. Meanwhile, the technological environment has changed dramatically since the 1970’s and the protections offered by FERPA have simply not kept up.
Unfortunately, schools and school districts capture ever-growing amounts of data about our kids. The law lets them do that. The fight to control our kids’ data starts with understanding this key piece of the puzzle.
History of FERPA
When FERPA was passed in 1974, it allowed a school to publish a “Student Directory” without parental consent. “Directory information” is supposed to be information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed, and typically includes information such as name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance.
Back in the 1970s and 1980s, when directories were provided in paper form and handed out only to students and parents at the school, the privacy issues were limited only so far as those directories could physically travel. But today, when placed online for anyone to access, this same directory information subjects students to potential harassment, stalking, identity theft, and other invasions of privacy.
The “School Official Exception”
Similarly, FERPA includes an exception referred to as the “School Official Exception.” This allows a school to disclose student personal information to a third party without explicit parental consent when that third party is providing an educational service on behalf of the school.
When FERPA was first passed, these third parties were people who provided services in person, such as speakers at a school assembly or field trips with personal guides. Incredibly, even before the pandemic, the average U.S. school was using 400 to 1,000 different online tools, according to the Student Data Privacy Consortium, an organization of school districts working to improve student-data privacy. Today, Ed Tech vendors (companies, not people) that provide services remotely, not in person claim that they fall into the “school official” exception. Unlike the vendors of the past, these Ed Tech companies are much more difficult for schools to control and oversee.
A key requirement of the “School Official Exception” under FERPA is that the school maintain “direct control” over sub-contracted vendors providing educational services. This is straightforward when the school official is an assembly speaker or a museum guide. It has become impossible when the school official is Google.
EdTech, Remote Learning, and FERPA
These are just two ways that today’s technology companies have outrun the law protecting kids’ privacy at school. With the proliferation of Ed Tech in public schools over the last decade, especially since remote learning started, there is significant concern that Ed Tech companies are collecting more student information than they’re allowed to, keeping it for longer than they’re supposed to, and using it in ways they’re not legally permitted to.
Continue to “What’s At Stake” to learn more…
