2 United States Department of Education Privacy Technical Assistance Center Eric Gray Privacy Technical Assistance Center Protecting Student Privacy While Using Online Educational Services May 2016

2 United States Department of Education, Privacy Technical Assistance Center 2 Summary of Today’s Discussion The changing landscape of education technology in schools Legal protections for students’ information used in online educational services How FERPA and PPRA protect student information used in online educational services Beyond compliance: best practices for protecting student privacy Resources for developing your own policy on third party applications Background and Regulatory Requirements Best Practices “Musts”“Shoulds”

2 United States Department of Education, Privacy Technical Assistance Center 3 Use of Education Technology in Schools Student Information Systems Productivity applications Educational applications Fundamental school services Online Educational Services (What we’re talking about today)

2 United States Department of Education, Privacy Technical Assistance Center 4 Online Educational Services – Let’s Define It! Computer software, mobile applications (apps), or web-based tools; Provided by a third-party provider (TPP) to a school or district; Accessed via the Internet by students and/or parents; AND Used as part of a school activity. *This guidance does not cover online services or social media used in a personal capacity, nor does it apply to services used by a school or district that are not accessed by parents or students.

2 United States Department of Education, Privacy Technical Assistance Center 5 The Challenge of Online Educational Services Schools and districts are increasingly contracting out school functions. Increasingly-connected classrooms, and teachers looking to take advantage of new technology to educate students. Many online services do not utilize the traditional 2-party written contractual business model. Terms of Service Agreements are everywhere! Increasing concern about the commercialization of personal information and behavioral marketing We need to use that data effectively and appropriately, and still protect students’ privacy

2 United States Department of Education, Privacy Technical Assistance Center 6 ED’s Role in Protecting Privacy and our Discussion on Online Educational Services These services may use student data, which is protected by FERPA. Vendors and App creators (TPPs) are not always clear on what they do with the student data they may use or collect. (This may not always be intentional!) Given that potential for a violation of FERPA, ED is particularly interested in developing the skills of district staff to be able to accurately evaluate these services to ensure that the data they collect is being handled properly.

2 United States Department of Education, Privacy Technical Assistance Center 7 Question 1: Is student information used in online educational services protected by FERPA?

2 United States Department of Education, Privacy Technical Assistance Center 8 Is student information used in online educational services protected by FERPA? It depends! Some data used in online educational services is protected by FERPA. Other data may not be. Schools and Districts will typically need to evaluate the use of online educational services on a case by case basis to determine if FERPA-protected information is implicated.

2 United States Department of Education, Privacy Technical Assistance Center 9 Question 2: What does FERPA require if PII from students’ education records is disclosed to a provider?

2 United States Department of Education, Privacy Technical Assistance Center 10 What does FERPA require if PII is disclosed to a provider? Parental consent for the disclosure; OR Disclosure under one of FERPA’s exceptions to the consent requirement. Typically, either: Directory Information exception Remember parents’ right to “opt-out” – This may completely de-rail the use of the application! School Official exception

2 United States Department of Education, Privacy Technical Assistance Center 11 School Official Exception Schools or LEAs can use the School Official exception to disclose education records to a third party provider (TPP) if the TPP: Performs a service/function for the school/district for which it would otherwise use its own employees Is under the direct control of the organization with regard to the use/maintenance of the education records Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPA Does not re-disclose or use education data for unauthorized purposes

2 United States Department of Education, Privacy Technical Assistance Center 12 Question 3: Under FERPA, are providers limited in what they can do with the student information they collect or receive?

2 United States Department of Education, Privacy Technical Assistance Center 13 Are providers limited in what they can do with the student information they collect or receive? If PII is disclosed under the Directory Information exception: No limitations other than what the school/district includes in their agreement with the provider. If PII is disclosed under the School Official exception: PII from education records may only be used for the specific purpose for which it was disclosed TPPs may not sell or share the PII, or use it for any other purpose except as directed by the school/district and as permitted by FERPA When personal information is collected from a student, the PPRA may also apply! PPRA places some limitations on the use of personal information collected from students for marketing

2 United States Department of Education, Privacy Technical Assistance Center 14 Protection of Pupil Rights Amendment (PPRA) Amended in 2001 with No Child Left Behind Act Mostly known for its provisions dealing with surveys in K-12 Includes limitations on using personal information collected from students for marketing May require parental notification and opportunity to opt out May require the Development of policies in conjunction with parents However … a significant exception for “educational products or services”

2 United States Department of Education, Privacy Technical Assistance Center 15 Question 4: What about metadata? Are there restrictions on what providers can do with metadata about students’ interactions with their services?

2 United States Department of Education, Privacy Technical Assistance Center 16 What about metadata? “Metadata” are pieces of information that provide meaning and context to other data being collected, for example : Activity date and time Number of attempts How long the mouse hovered before clicking an answer Metadata that have been stripped of all direct and indirect identifiers are not protected under FERPA (note: school name and other geographic information are often indirect identifying information in student data). Be careful when evaluating what services do with collected metadata. It may be considered a violation of FERPA if metadata that is linkable to student PII is used for other purposes. Properly de-identified metadata may be used by providers for other purposes (unless prohibited by their agreement with the school/district)

2 United States Department of Education, Privacy Technical Assistance Center 17 Other laws to consider Children’s Online Privacy and Protection Act (COPPA) Applies to commercial Web sites and online services directed to children under age 13, and those Web sites and services with actual knowledge that they have collected personal information from children Administered by the Federal Trade Commission See security/childrens-privacy for more informationhttp:// security/childrens-privacy State, Tribal, or Local Laws

2 United States Department of Education, Privacy Technical Assistance Center 18 Let’s Shift Gears And talk about some best practices

2 United States Department of Education, Privacy Technical Assistance Center 19 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws. Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate. Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 20 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate. Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 21 Question 5: Can individual teachers sign up for free (or “freemium”) education services? Here’s a better question: Should individual teachers sign up for Free or “Freemium” services?

2 United States Department of Education, Privacy Technical Assistance Center 22 Using free or “freemium” educational services Remember the FERPA’s requirements for schools and districts disclosing PII under the school official exception. Direct control Consistency with annual FERPA notice provisions Authorized use limits on re-disclosure These services may also introduce security vulnerabilities into your school networks. It is a best practice to establish district/school level policies governing use of free/freemium services, and to train teachers and staff accordingly.

2 United States Department of Education, Privacy Technical Assistance Center 23 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws. Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 24 Question 6: What provisions should be in a school or district’s contract or Terms of Service agreement with a provider?

2 United States Department of Education, Privacy Technical Assistance Center 25 Contract and TOS Provisions Security and data stewardship provisions Data collection provisions Data use, retention, disclosure, and destruction provisions Data access provisions Modification, duration, and termination provisions Indemnification and warranty provisions

2 United States Department of Education, Privacy Technical Assistance Center 26 More Provisions to look out for… Defining Student Data May not always be written as “data”! Specifications on what Metadata is collected and how it is used Metadata can be used for back-end product improvements, and the collection of the data may be invisible to the user! Data mining provisions Data may be sold to third party data miners to help identify trends, do predictive analysis, etc. Data Sharing and Use Should only be done for the purposes outlined in the agreement. Data sharing to subcontractors should be clearly stated!

2 United States Department of Education, Privacy Technical Assistance Center 27 Marketing and Advertising Provisions Information gathered in an online educational service or mobile application could be used to create a profile on a student. That profile could then be used to direct advertising/marketing materials to students.

2 United States Department of Education, Privacy Technical Assistance Center 28 Marketing and Advertising (cont’d) The language in a TOS should be clear that the data collected cannot be used to advertise or market to students. Targeted advertising/marketing could violate privacy laws.

2 United States Department of Education, Privacy Technical Assistance Center 29 Security Controls Student data need to be protected, and a provider’s TOS should include provisions outlining strong policies safeguarding those data. The safeguards used by the vendor should match or exceed the security you use locally to protect student data Failure to provide adequate security could lead to a FERPA violation.

2 United States Department of Education, Privacy Technical Assistance Center 30 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws. Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 31 Question 7: Should school or district staff be concerned if a TPP uses a “Click-Wrap” or Terms of Service agreement instead of a traditional contract?

2 United States Department of Education, Privacy Technical Assistance Center 32 Answer: It Depends (Heard that one before?) Click-wrap or Terms of Service (TOS) agreements are not prohibited. Nothing in FERPA says that staff cannot click that “Accept” button. However, there are some considerations… (like everything else we’ve discussed today)

2 United States Department of Education, Privacy Technical Assistance Center 33 Another Type of Contract Many providers of online educational services and mobile applications (vendors, contractors, and other service providers) rely on a TOS agreement. These agreements are also referred to as “click-wrap” agreements, and can operate as a provider’s legally-binding contract. You’ve probably (hastily) scrolled past many similar agreements before (quickly) clicking “I agree” when adding an app to your phone or tablet.

2 United States Department of Education, Privacy Technical Assistance Center 34 Click-Wrap Agreements Once a user at your school or district clicks “I agree,” the terms of this agreement will likely govern what information the provider may collect from or about students and with whom they may share it.

2 United States Department of Education, Privacy Technical Assistance Center 35 Take it or Leave it A traditional contract involves a buyer and seller agreeing on a set of terms and signing a contract containing those agreed-upon provisions. This is often not the case with many online educational services and mobile applications. Many click-wrap or TOS agreements are a binary choice, either accept the terms wholesale, or don’t use the service.

2 United States Department of Education, Privacy Technical Assistance Center 36 Ignore at Your Peril! Click-Wrap agreements could potentially lead to a violation of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), or other laws, as well as privacy best practices.

2 United States Department of Education, Privacy Technical Assistance Center 37 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws. Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 38 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws. Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 39 Developing District Policy Every school or district should have a policy in place for reviewing agreements before the service or application is used in the classroom. Schools/Districts should establish a review process and/or have a designated individual review TOS before its adoption. The service or application should be inventoried, evaluated, and support the school’s and district’s broader mission and goals.

2 United States Department of Education, Privacy Technical Assistance Center 40 Policies and Procedures to Approve Educational Services Test and evaluate popular services to see if they are right for your district Evaluate terms of service to ensure they are satisfactory Consider developing a repository of “approved” apps Training, Training, Training!

2 United States Department of Education, Privacy Technical Assistance Center 41 PTAC Guidance Videos Protecting Student Privacy Video Five minutes long Perfect for staff training

2 United States Department of Education, Privacy Technical Assistance Center 42

2 United States Department of Education, Privacy Technical Assistance Center 43 Best Practices for Protecting Student Privacy Maintain awareness of other relevant laws – FERPA is the floor, and not the ceiling of privacy! YMMV with other state or local laws. Be aware of which online educational services are currently being used in your district When possible, use a written contract or legal agreement Carefully evaluate Terms of Service Agreements! Consider that parental consent may be appropriate Have policies and procedures to evaluate and approve proposed educational services Be transparent with parents and students

2 United States Department of Education, Privacy Technical Assistance Center 44 Starting on the Road to Transparency What information you are sharing (Data Inventory) Why are you collecting it? How are you protecting it? How is the data used? Do you share with 3 rd parties? How can parents get more information regarding their children’s data?

2 United States Department of Education, Privacy Technical Assistance Center 45 Transparency Resources PTAC Guidance Videos Transparency Best Practices

2 United States Department of Education, Privacy Technical Assistance Center 46 Knowledge is Power Educate Your Staff Put a Policy in Place

2 United States Department of Education, Privacy Technical Assistance Center 47 CONTACT INFORMATION United States Department of Education, Privacy Technical Assistance Center (855) (202) (855)