o the creator or originator of that record in order to verify authenticity without the student’s permis

Example Scenarios

provide a letter of recommendation for a student that includes grades unless you have received written consent from the student to release this information for this explicit purpose.

provide anyone outside the college with lists of students enrolled in classes;

If you teach several sections of the same course but the students do not interact with each other in a physical classroom or online, the courses cannot be merged in Carmen.

The teacher who saw the incident in-person can speak about it because FERPA is not a confidentiality law. It only protects what’s in a student’s education record.

If a school denies access to student records to a parent of a student under the age of 18, that’s a FERPA violation

One is that, generally, higher education institutions can choose to release a students’ education records to both parents, provided that at least one parent claims the student as a dependent for tax purposes.

“It should be clear that [the data] belongs to the school, not to the vendor, and that the vendor’s responsibility is to process it for the benefit of the school and its students, and not for the vendor’s own benefit,” McDonald says.

“Law enforcement unit records” (i.e., records created by the law enforcement unit, created for a law enforcement purpose, and maintained by the law enforcement unit) are not “education records” subject to the privacy protections of FERPA. As such, the law enforcement unit may refuse to provide a parent or eligible student with an opportunity to inspect and review law enforcement unit records, and it may disclose law enforcement unit records to third parties without the parent or eligible student’s prior written consent

Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.

schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31): School officials with legitimate educational interest; Other schools to which a student is transferring; Specified officials for audit or evaluation purposes; Appropriate parties in connection with financial aid to a student; Organizations conducting certain studies for or on behalf of the school; Accrediting organizations; To comply with a judicial order or lawfully issued subpoena; Appropriate officials in cases of health and safety emergencies; and State and local authorities, within a juvenile justice system, pursuant to specific State law.

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

Department of Education offers a detailed overviewof FERPA

What about FERPA? The student is controlling how much information is out there. Similar to a public blogging platform being run by a university, FERPA only requires that student records (and what constitutes a “record” is debatable) not be public unless a student gives permission. In this case if the student wanted to sign up and lock down their hosting they can certainly do that, no one is requiring them to make their information public. This also comes back to our strict privacy policy (see previous question)

our current practice and policy was on par with what universities needed. It then became an issue of specifically having a legally binding agreement that protected the universities, professors, and students.

When a student begins attending a postsecondary institution, regardless of age, FERPA rights transfer from the parent to the student

and developing solutions to real challenges

rovider  will  store  and  process  Data  in  accordance  with  industry  best  practice

d  Provider  has  a  limited,  nonexclusive  license  solely  for  the  purpose  of  performing  its  obligations  as  outlined  in  the  Agreeme

 all  intellectual  property  rights,  shall  remain  the  exclusive  property  of  the  [School/District],

Access

Data  Transfer  or  Destruction

Data  cannot  be  shared  with  any  additional  parties  without  prior  written  consent  of  the  Userexcept  as  required  by  law.”

Data  Collection

There  is  nothing  wrong  with  a  provider  usingde-­‐identified  data  for  other  purposes;  privacy  statutes,  after  all,  govern  PII,  not  de-­‐identified  data.

Modification  of  Terms  of  Se

rovider  will  not  use  any  Data  to  advertise  or  market  to  students  or  their  parents.  Advertising  or  marketing  may  be  directed  to  the  [School/District]  only  if  student  information  is  properly  de-­‐identified

Data  De-­‐Identification

all  Personally  Identifiable  Information  (P

minimize the data your product collects

It is best to assume that the student information you collect in your app is statutorily confidential, unless it is de-identified

data security features

build privacy

Metadata that have been stripped of all direct and indirect identifiersare notconsidered protected informationunder FERPA because they are not PII.

In order to create studentaccounts, the districtor schoolwill likely need to give the provider the students’ names and contact informationfrom the students’ education records, which areprotected byFERPA

personally identifiable information (PII) from students’ education records from unauthorized disclosure.

 Limit retention to what is useful.

software is increasingly deployed from hosted services, as opposed to on a local district network

(but not nonprofits)

the hostile environments so many experience when it comes to experimenting locally with ed-tech versus an almost infantile trust in our corporate overlords when it comes to outsourcing.

little to no impact on the tech giants to which many K-12 schools, colleges, and universities blissfully outsource their innovation.

What constitutes an education record is a bit blurry, making FERPA the bat it has become internally to shut down most conversations about sharing publicly on the web.