Department of Education Issues Guide On Protecting Student Privacy Online

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Feb. 26 --New guidance issued by the Department of Education's Privacy Technical Assistance Center aims to help school systems and teachers protect student privacy while using online educational services, the department said in a Feb. 26 statement announcing the release of the guidance.  

Online educational services include computer software, mobile applications and Web-based programs provided by a third party to a school or district that students and their parents can use for school activities via the Internet, according the guidance.

In addition to explaining requirements under the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA), the guidance sets forth a list of suggested best practices that schools and school districts can use “to go beyond compliance,” the department said.

“As an education community, we have to do a far better job of helping teachers and administrators understand technology and data issues so that they can appropriately protect privacy while ensuring teachers and students have access to effective and safe tools,” Secretary of Education Arne Duncan said in the statement.

Statutory Requirements

FERPA, at 20 U.S.C. § 1232g, protects personally identifiable information (PII) in education records from being disclosed without authorization, the guidance explained.

“Subject to exceptions, the general rule under FERPA is that a school or district cannot disclose PII from education records to a provider unless the school or district has first obtained written consent from the parents,” students 18 years of age or older and postsecondary students, the department said.

But FERPA does not protect certain data in certain situations, such as where student information has been de-identified or where the information constitutes “directory information,” information from student records that would not be considered an invasion of privacy if disclosed, the department said.

The PPRA, 20 U.S.C. § 1232h, generally requires school districts to notify parents of students whose personal information may be collected, used or disclosed for marketing purposes and to give those parents the opportunity to opt out of such activities.

Education's Best Practices

“Regardless of whether FERPA or PPRA applies to a school's or district's proposed use of online educational services, the Department recommends that schools follow privacy, security and transparency best practices,” the guidance said.

The department recommended that schools and districts:

• maintain awareness of other applicable laws, such as the Children's Online Privacy Protection Act;

• remain aware of which online educational services the district is currently using;

• establish policies and procedures to both evaluate and approve new online educational services;

• use a written contract or a legal agreement with providers;

• take extra steps when accepting “click-wrap” licenses for consumer applications, which can be acquired simply by clicking “accept” to the application's terms of service; and

• be transparent with both parents and students about how student information is collected, shared, protected and used.


The department also recommended that contracts with providers include provisions on: security and data stewardship; information collection; data use, retention, disclosure and destruction; data access; contract modification, duration and termination; and indemnification and warranty.

SIIA's Best Practices

Meanwhile, the Software & Information Industry Association (SIIA) Feb. 24 released a set of industry best practices for providers of school services to safeguard student privacy and secure student data.

Those best practices include: only collecting, using and sharing student PII for educational purposes; being transparent about what information is collected, used and shared; only collecting, using and sharing student PII with authorization from the educational institution or with student or parental consent; maintaining security policies and procedures to protect students' personal data; and notifying educational institutions about data breaches.

Full text of the Department of Education guidance, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices,” is available at

The SIIA's suggested best practices are available at

Request Bloomberg Law Privacy and Data Security