Education Framework Blog

Focused on the Future of Education in America

Student Data Privacy Best Practices

Understanding that you need to do something and knowing what to do are two very different things. But simply breaking things down into smaller chunks often allows one to see more clearly, understand how the pieces fit together, and determine how to tackle each piece individually to achieve a positive end result. 

Today, we are utilizing this approach with regards to managing student data privacy. By breaking it down into simpler components, we are condensing a vast and often confusing array of information into a manageable set of guidelines for educators to follow. 

Based on best practice recommendations from the U.S. Department of Education Privacy Technical Assistance Center (PTAC) and other leading education organizations, we have assembled three easy-to-remember recommendations to help protect student privacy. They are as follows: 

1. Be Knowledgeable - Understand the privacy landscape and your legal obligations.

  • Know your student privacy laws. Federal laws include FERPA, COPPA and PPRA, but new state regulations are being implemented all across the nation, so it is important to know what is going on in your state. 
  • Create data inventories to fully understand the scope of information being collected and shared. 
  • Track which online and educational services are currently being used in your district.
  • Monitor privacy policies for changes.

2. Be Accountable Establish a data governance plan and guidelines to follow. 

  • Make a plan that addresses the full life cycle of data, from acquisition - to use - to disposal. Ensure the individual privacy and confidentiality of education records by defining rules.
  • Have policies and procedures in place to evaluate and approve online educational services. Determine who has purchasing authority and proactively define the scope and limitations of that authority. 
  • Use written contracts or legal agreements laying out security and data stewardship, data collection, data deletion, data use, data retention, data disclosure and data destruction provisions. 
  • Consider parental consent even in instances where federal law does not require. 

3. Be Transparent - Communicate your plan and engage parents in the privacy conversation. 

  • Post information about your student data policies, practices and usage on an easy-to-locate public webpage. Utilize parent-teacher dashboards, if possible. 
  • Be explicit about what information you collect about your students, and what that information is used for. 
  • Explain what, if any, personal information is shared with third party service providers, and how that information is safeguarded. 
  • Let parents know where they can get more information.

By following these recommendations, school and district administrators are taking necessary precautions to protect their students and their districts from harm. As mentioned in our previous blog entryPTAC has a wealth of resources available to help. They have even created a specific checklist for developing school district privacy programs. 

There are also automated student data privacy solutions available to help schools and districts proactively manage privacy obligations with transparency and accountability. Solutions like EdProtect take the guesswork out of managing student data privacy and offer an added layer of security, providing peace-of-mind for those tasked with protecting student information.  

Student Privacy 101: The low down on the laws of the land

Long gone are the days when protecting student information meant locking a filing cabinet. Today, with students using hundreds of different apps over the course of their education, software providers obscuring how they use data in complicated Terms of Service contracts, and an ever-shifting legal landscape, it can be extremely difficult for administrators, teachers and parents to know exactly what they need to do to protect their student data.

Over the next few posts we’ll be exploring the different factors affecting the world of student data. Our goal is to demystify the subject of student data privacy and help bring you up to speed so you can address this serious topic in your school district.

Today we’re starting by taking a current snapshot of the legal landscape. Federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA) work to ensure student data is only used for authorized purposes; protects that data from further disclosure or other uses, like marketing or being resold to others; and mandates that it is destroyed when no longer needed for the authorized purpose.

While these laws lay a foundation for educators and online operators to follow, they don't necessarily cover all aspects of data collection and deletion. For this reason, many states are now creating their own, more specific student data privacy laws to define what is and what isn't acceptable when it comes to the collection of student information in their respective states. 

Over the past two years, nearly every state has introduced its own legislation addressing student data privacy. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), the first of its kind, which has since been used as the model for much of the legislation being introduced by other states.

Many of these are focused on creating greater transparency and accountability for educational data, clarifying the data and privacy activities of third-party service providers, and giving parents the ability to have a say in the management of their children's privacy. They generally fall into two types of approaches: prohibitive rules that seek to limit or halt certain types of collection or uses; or governance rules that seek to establish procedures, roles and responsibilities. In addition, numerous bills have established fines and penalties for data misuse and breaches to ensure accountability.

However, for everyone with a stake in education - teachers, parents, school & district leaders, and state & federal policymakers - the new challenge is knowing what all this actually means and understanding how to properly implement an effective plan to manage student privacy. Thankfully, there are resources available to help. 

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) is a terrific resource for understanding your legal requirements and what steps you need to take to establish compliance. The Privacy Toolkit in particular provides a useful centralized depository of materials to guide schools and districts looking to improve the security and privacy of their student data. 

In addition, groups like the Future of Privacy Forum (FPF) and the Software and Information Industry Association (SIIA) seek to create change from the industry side by encouraging members to sign the Student Privacy Pledge, committing to use student data in a responsible way. The pledge is intended to hold school service providers accountable and encourage effective communication with parents, teachers and education officials about how student information is used and safeguarded. 

Tools like EdProtect take it one step further and actually manage the process for you. Designed to protect students from data abuse, it ensures that schools and districts are in complete compliance with various federal and state regulations, engages parents in the privacy conversation, and lessens the risk of costly fines and penalties associated with the mismanagement of student information. Resources like this are crucial for helping administrators, IT staff and teachers proactively manage their student privacy obligations with transparency and accountability.

To learn how EdProtect makes your job easier, sign up for a free demonstration today.

Google Complaint Exposes Student Privacy Concerns

    This article by Re / code author Dawn Chmielewski does a great job of breaking down the Electronic Frontier Foundation's FTC complaint against Google...

When Personalized Learning Gets Too Personal: Google Complaint Exposes Student Privacy Concerns
When does personalized learning get too personal? That's the question behind a United States Federal Trade Commission complaint filed last week by the Electronic Frontier Foundation accusing Google of collecting and using personal student information for non-education purposes and in violation of its K-12 Student Privacy Pledge.

Though Google has said that it did nothing wrong and remained “firmly committed” to keeping student information private and secure, the accusation exposes the escalating tension between school systems entrusted with safeguarding the privacy of kids and the innovators pushing the boundaries of modern education.

Google agreed last year to stop scanning the Gmail accounts of millions of students using its Google Apps for Education, a collection of software for creating documents, spreadsheets and presentations and storing school projects. Although the technology giant said it wouldn’t place ads within Apps for Education, it could potentially have used that information to target ads to students elsewhere online. Google has said it never used student data to target ads anywhere.

Concerns about what data is being collected and how it is being used drove the EFF to investigate what Google was doing with data compiled through its Apps for Education program, after one parent complained. Jeff W., worried that his 9-year-old daughter would be tracked online, contacted the EFF after his daughter’s school began mandating the use of Chromebooks in the classroom. His concerns only grew when the district created a Google account for his daughter that included her real name and date of birth. 

In California, the California Student Online Personal Information Protection Act (SOPIPA), which takes effect Jan. 1, will prohibit the operators of websites, online services and apps from using student data for targeting advertising or creating individual profiles except for school purposes. It restricts the sale or disclosure of student information and mandates that this sensitive data be protected.

Hailed by some as landmark legislation, SOPIPA has a significant loophole: These privacy protections do not follow the student when they wander beyond the digital school perimeter to general websites, online services or mobile apps. That could open the door to Google serving targeted ads to students once they leave its education apps, the EFF warned in a letter to one Northern California school district — though the federal Children’s Online Privacy Protection Act (COPPA) prevents sites from gathering information about children under the age of 13 without first obtaining a parent’s consent.

Read full article here >>

Student Privacy Pledge Reaches New Milestone

Introduced by The Future of Privacy Forum (FPF) and The Software & Information Industry Assocation (SIIA), the Student Privacy Pledgedesigned to safeguard student privacy regarding the collection, maintenance, and use of student personal information, has reached a new milestone - over 200 signatories. 

Endorsed by President Obama, the National PTA, and the National School Boards Association, the Pledge is a list of commitments school service providers have made to affirm K-12 student data is maintained in a secure, private and responsible framework.  

The Student Privacy Pledge will hold school service providers accountable to:
  • Not sell student information
  • Not behaviorally target advertising
  • Use data for authorized education purposes only
  • Not change privacy policies without notice and choice
  • Enforce strict limits on data retention
  • Support parental access to, and correction of errors in, their children's information
  • Profide comprehensive security standards
  • Be transparent about collection and use of data
It further states the critical importance of effectively communicating with parents, teachers and education officials about how student information is used and safeguarded. 

We, at Education Framework, signed the Student Privacy Pledge just after it was initally introduced in October 2014. We appreciate the efforts of both FPF and SIIA for bringing attention to a critical and time-sensitive issue, and encourage all school service providers to take the necessary steps to ensure student data is safe. We are especially thankful to all our fellow signatories for making the ethical & cognitive decision to proactively protect student data. 

For more information on how to support the Pledge, please visit:

Student Data Privacy in the Spotlight

President Obama called for legislation to protect students' online data in a speech at the FTC.

Companies that provide educational technology might find themselves in the spotlight if they fail to sign a voluntary pledge to safeguard student data. 


"We want to encourage every company that provides technology to our schools to join this effort," the president said, "and if you don't join this effort, then we intend to make sure that those parents and those schools know that you haven't joined" it. 


Obama did not provide details about how companies could be called out for failing to sign the pledge.

Full story here:

The President talks Student Privacy...wait! What??

Why is this important for students and parents? Because, the Administration is taking notice. 

It pushes student privacy to the forefront and will allow us to discuss this issue and work towards effecting change in the way we view privacy, data ownership and technology.

Ed-tech is transforming how children learn. We want students recognized as owners of their data, so they’re empowered to make decisions about their education. As we work to protect student privacy, we must ask ourselves whose privacy are we protecting and what learners are being left vulnerable. Because unless we address these questions, we limit the conversation to what data points should and should not be collected instead of how can we turn data into valuable information.

                                                                                                              - Thoughts from Olga Garcia-Kaplan

Read full post here: