Education Framework Blog

Focused on the Future of Education in America

Student Data Privacy Best Practices


Understanding that you need to do something and knowing what to do are two very different things. But simply breaking things down into smaller chunks often allows one to see more clearly, understand how the pieces fit together, and determine how to tackle each piece individually to achieve a positive end result. 

Today, we are utilizing this approach with regards to managing student data privacy. By breaking it down into simpler components, we are condensing a vast and often confusing array of information into a manageable set of guidelines for educators to follow. 

Based on best practice recommendations from the U.S. Department of Education Privacy Technical Assistance Center (PTAC) and other leading education organizations, we have assembled three easy-to-remember recommendations to help protect student privacy. They are as follows: 

1. Be Knowledgeable - Understand the privacy landscape and your legal obligations.

  • Know your student privacy laws. Federal laws include FERPA, COPPA and PPRA, but new state regulations are being implemented all across the nation, so it is important to know what is going on in your state. 
  • Create data inventories to fully understand the scope of information being collected and shared. 
  • Track which online and educational services are currently being used in your district.
  • Monitor privacy policies for changes.

2. Be Accountable Establish a data governance plan and guidelines to follow. 

  • Make a plan that addresses the full life cycle of data, from acquisition - to use - to disposal. Ensure the individual privacy and confidentiality of education records by defining rules.
  • Have policies and procedures in place to evaluate and approve online educational services. Determine who has purchasing authority and proactively define the scope and limitations of that authority. 
  • Use written contracts or legal agreements laying out security and data stewardship, data collection, data deletion, data use, data retention, data disclosure and data destruction provisions. 
  • Consider parental consent even in instances where federal law does not require. 

3. Be Transparent - Communicate your plan and engage parents in the privacy conversation. 

  • Post information about your student data policies, practices and usage on an easy-to-locate public webpage. Utilize parent-teacher dashboards, if possible. 
  • Be explicit about what information you collect about your students, and what that information is used for. 
  • Explain what, if any, personal information is shared with third party service providers, and how that information is safeguarded. 
  • Let parents know where they can get more information.

By following these recommendations, school and district administrators are taking necessary precautions to protect their students and their districts from harm. As mentioned in our previous blog entryPTAC has a wealth of resources available to help. They have even created a specific checklist for developing school district privacy programs. 


There are also automated student data privacy solutions available to help schools and districts proactively manage privacy obligations with transparency and accountability. Solutions like EdProtect take the guesswork out of managing student data privacy and offer an added layer of security, providing peace-of-mind for those tasked with protecting student information.  

Student Privacy 101: The low down on the laws of the land


Long gone are the days when protecting student information meant locking a filing cabinet. Today, with students using hundreds of different apps over the course of their education, software providers obscuring how they use data in complicated Terms of Service contracts, and an ever-shifting legal landscape, it can be extremely difficult for administrators, teachers and parents to know exactly what they need to do to protect their student data.

Over the next few posts we’ll be exploring the different factors affecting the world of student data. Our goal is to demystify the subject of student data privacy and help bring you up to speed so you can address this serious topic in your school district.

Today we’re starting by taking a current snapshot of the legal landscape. Federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA) work to ensure student data is only used for authorized purposes; protects that data from further disclosure or other uses, like marketing or being resold to others; and mandates that it is destroyed when no longer needed for the authorized purpose.

While these laws lay a foundation for educators and online operators to follow, they don't necessarily cover all aspects of data collection and deletion. For this reason, many states are now creating their own, more specific student data privacy laws to define what is and what isn't acceptable when it comes to the collection of student information in their respective states. 

Over the past two years, nearly every state has introduced its own legislation addressing student data privacy. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), the first of its kind, which has since been used as the model for much of the legislation being introduced by other states.

Many of these are focused on creating greater transparency and accountability for educational data, clarifying the data and privacy activities of third-party service providers, and giving parents the ability to have a say in the management of their children's privacy. They generally fall into two types of approaches: prohibitive rules that seek to limit or halt certain types of collection or uses; or governance rules that seek to establish procedures, roles and responsibilities. In addition, numerous bills have established fines and penalties for data misuse and breaches to ensure accountability.

However, for everyone with a stake in education - teachers, parents, school & district leaders, and state & federal policymakers - the new challenge is knowing what all this actually means and understanding how to properly implement an effective plan to manage student privacy. Thankfully, there are resources available to help. 

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) is a terrific resource for understanding your legal requirements and what steps you need to take to establish compliance. The Privacy Toolkit in particular provides a useful centralized depository of materials to guide schools and districts looking to improve the security and privacy of their student data. 

In addition, groups like the Future of Privacy Forum (FPF) and the Software and Information Industry Association (SIIA) seek to create change from the industry side by encouraging members to sign the Student Privacy Pledge, committing to use student data in a responsible way. The pledge is intended to hold school service providers accountable and encourage effective communication with parents, teachers and education officials about how student information is used and safeguarded. 

Tools like EdProtect take it one step further and actually manage the process for you. Designed to protect students from data abuse, it ensures that schools and districts are in complete compliance with various federal and state regulations, engages parents in the privacy conversation, and lessens the risk of costly fines and penalties associated with the mismanagement of student information. Resources like this are crucial for helping administrators, IT staff and teachers proactively manage their student privacy obligations with transparency and accountability.

To learn how EdProtect makes your job easier, sign up for a free demonstration today.

Google Complaint Exposes Student Privacy Concerns

    This article by Re / code author Dawn Chmielewski does a great job of breaking down the Electronic Frontier Foundation's FTC complaint against Google...


When Personalized Learning Gets Too Personal: Google Complaint Exposes Student Privacy Concerns
When does personalized learning get too personal? That's the question behind a United States Federal Trade Commission complaint filed last week by the Electronic Frontier Foundation accusing Google of collecting and using personal student information for non-education purposes and in violation of its K-12 Student Privacy Pledge.

Though Google has said that it did nothing wrong and remained “firmly committed” to keeping student information private and secure, the accusation exposes the escalating tension between school systems entrusted with safeguarding the privacy of kids and the innovators pushing the boundaries of modern education.

Google agreed last year to stop scanning the Gmail accounts of millions of students using its Google Apps for Education, a collection of software for creating documents, spreadsheets and presentations and storing school projects. Although the technology giant said it wouldn’t place ads within Apps for Education, it could potentially have used that information to target ads to students elsewhere online. Google has said it never used student data to target ads anywhere.

Concerns about what data is being collected and how it is being used drove the EFF to investigate what Google was doing with data compiled through its Apps for Education program, after one parent complained. Jeff W., worried that his 9-year-old daughter would be tracked online, contacted the EFF after his daughter’s school began mandating the use of Chromebooks in the classroom. His concerns only grew when the district created a Google account for his daughter that included her real name and date of birth. 

In California, the California Student Online Personal Information Protection Act (SOPIPA), which takes effect Jan. 1, will prohibit the operators of websites, online services and apps from using student data for targeting advertising or creating individual profiles except for school purposes. It restricts the sale or disclosure of student information and mandates that this sensitive data be protected.

Hailed by some as landmark legislation, SOPIPA has a significant loophole: These privacy protections do not follow the student when they wander beyond the digital school perimeter to general websites, online services or mobile apps. That could open the door to Google serving targeted ads to students once they leave its education apps, the EFF warned in a letter to one Northern California school district — though the federal Children’s Online Privacy Protection Act (COPPA) prevents sites from gathering information about children under the age of 13 without first obtaining a parent’s consent.

Read full article here >>

Montana High School Inadvertently Exposes Sensitive Student Information

In what has been termed an “unintentional data breach,” a Montana school district is in hot water today as the nation learns that they inadvertently shared extremely sensitive student information in an email to parents. 

The email, sent to 28 parents, contained highly sensitive academic, medical, disciplinary and criminal information about hundreds of students at Hellgate High School in Missoula, Montana. 

In all, information disclosed included the names of students...

  • in school-based mental health counseling
  • diagnosed with developmental disabilities 
  • involved in family-abuse cases
  • suspended or have been involved in other disciplinary measures 
    • including the nature of their infractions,
      • alcohol and drug use, possession of weapons and thefts.
  • not compliant with immunization requirements 
  • failing classes
The email also included a single page of a performance evaluation for a teacher.

On Monday afternoon, Missoula County Public Schools (MCPS) said in a statement that the cause of the data release remains under investigation. 

"We deeply apologize for any inconvenience or concerns this incident may cause for our students and families," MCPS Superintendent Mark Thane said in the statement. "While this was an unintentional release of information, we understand that the district is ultimately responsible to safeguard student information."

According to parents who received the email, the school contacted them shortly after it was sent and asked them to delete it without reading the attachment.

MCPS on Monday declined to comment on how the assortment of information came to be included in the single file. 

UPDATE: Read Superintendent Mark Thane's response letter here >>