What is student data and what does it include?
The Family Educational Rights and Privacy Act (FERPA) (see 20 U.S.C. § 1232g and 34 CFR Part 99) protects personally identifiable information (PII) from students’ education records from unauthorized disclosure. FERPA defines education records as “records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (see 34 CFR § 99.3 definition of “education record”). FERPA also defines the term PII, which includes direct identifiers (such as a student’s or other family member’s name) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name) (see 34 CFR § 99.3 definition of “personally identifiable information”). For more information about FERPA, please visit the Family Policy Compliance Office’s website.
Some types of online educational services do use FERPA-protected information. For example, a district may decide to use an online system to allow students (and their parents) to log in and access class materials. In order to create student accounts, the district or school will likely need to give the provider the students’ names and contact information from the students’ education records, which are protected by FERPA. Conversely, other types of online educational services may not implicate FERPA-protected information. For example, a teacher may have students watch video tutorials or complete interactive exercises offered by a provider that does not require individual students to log in. In these cases, no PII from the students’ education records would be disclosed to (or maintained by) the provider (Source: PTAC)
What are some of the potential consequences of not being aware of student privacy protections when using a digital tool?
Use of a digital tool that has not been vetted presents the opportunity for student level data to be inappropriately exposed, shared, or in some cases sold.
Why can’t I just make fake names for student accounts?
A made up username or ID is simply another student identifier. It does not change the fact that the online digital tool may be collecting student level data and work that needs to be protected.
If a website or app doesn’t ask for a student’s name, can I use it?
All applications should be properly vetted to ensure any student level data collected is properly protected.
Many online applications say “Sign In with Google.” Aren’t those OK to use since our students have CPS Google accounts?
No, these applications also need to be vetted. Using a CPS Google Login does not ensure that the data remains in the CPS Google Domain.
How can we get more companies on board? In other words, what can teachers do to explain the importance of this and why companies should care?
Refer the companies to the CPS website as well as the Student Data Privacy Consortium, who’s goal is to engage vendors on this topic.
Why do we need to get approval to use some resources?
In order to ensure all student level data is properly protected all online applications need to be properly vetted by the ICTS department.
What kinds of resources do I need to get approval for?
Any resource that a student interacts with needs to be approved.
How do I know if a resource has already be approved to be used?
All Approved resources can be found here.
Are there any other schools/districts using an approval process?
Yes, this process is being replicated in 16 states and thousands of school districts.
Why can’t we just get a parent permission slip to be able to use any digital tool?
Parental consent is an option, be we consider this an option of last resort. Managing parental consent for all students and addressing replacement resources for students without parental consent can be a hinderance.
What is the first step of our approval process?
The process is outlined here.
How long will it take to get a resource approved?
This depends on how responsive the vendor is as well as any issues that may exist in the vendor’s student data protection strategies. The entire process could take days or up to a year.
How can I check the status of an approval request?
Progress email notifications will be send to you automatically during each stage of the process to ensure you stay up-to-date.
Am I able to use the application while waiting for approval?
No.
What do I do if a resource I requested declines to sign our privacy agreement?
ICTS will help you seek out an alternative application that meets your needs and adequately protects student data privacy.
Why does it take so long to get a data breach agreement signed sometimes?
There are many reasons that might drag out the process. These may include;
- The Vendor business model - especially for free applications - leverages the re-use of student level data for profit.
- Vendor has no legal resources to review document
- Vendor refuses to consider separate agreement
- The resource has flaws that expose student level data
What if I’ve already been using the resource with students and didn’t know it wasn’t approved?
Contact ICTS and they will assist.
What if I’ve paid for the resource?
Same process applies for teacher paid resources, District paid, or free resources.
If a student wants to use an unapproved resource for an individual project (when students are allowed to choose how they present their work, for instance), and the parent approves, is that okay? In other words, if I’m not requiring or encouraging the resource’s use, can a student choose to use it on school equipment?
Not without written parental consent.
Questions about the Media Release Form?
Access the Media Release Form FAQs.