What is student data and what does it include?
The Family Educational Rights and Privacy Act (FERPA) (see 20 U.S.C. § 1232g and 34 CFR Part 99) protects personally identifiable information (PII) from students’ education records from unauthorized disclosure. FERPA defines education records as “records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (see 34 CFR § 99.3 definition of “education record”). FERPA also defines the term PII, which includes direct identifiers (such as a student’s or other family member’s name) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name) (see 34 CFR § 99.3 definition of “personally identifiable information”). For more information about FERPA, please visit the Family Policy Compliance Office’s website.
Some types of online educational services do use FERPA-protected information. For example, a district may decide to use an online system to allow students (and their parents) to log in and access class materials. In order to create student accounts, the district or school will likely need to give the provider the students’ names and contact information from the students’ education records, which are protected by FERPA. Conversely, other types of online educational services may not implicate FERPA-protected information. For example, a teacher may have students watch video tutorials or complete interactive exercises offered by a provider that does not require individual students to log in. In these cases, no PII from the students’ education records would be disclosed to (or maintained by) the provider (Source: PTAC)
Some very useful and widely used software tools have declined to sign an agreement - is there an alternative?
If a vendor refuses to sign an agreement, the software cannot be used. While it is possible to obtain parental consent, we consider this to be not a viable option. In addition to obtaining written parental consent and tracking that consent, we must also offer an alternative product or method for students whose parents do not provide consent.
The software I would like to use has a privacy agreement on their web site - why can't we use that agreement?
Every company creates their own privacy agreement. Their agreement is written for their purposes and may not comply with FERPA or other state or federal laws that protect students. By agreeing to the State DPA through the TEC Collaborative, we can ensure our students are properly protected.
It seems like a lot of companies refuse to sign our agreement - is it too strict?
The TEC Collaborative helped create the Massachusetts State Data Privacy Agreement. It is the same agreement used across the state. If a vendor doesn't sign, they are not signing for any Massachusetts school.
What are some of the potential consequences of not being aware of student privacy protections when using a digital tool?
Use of a digital tool that has not been vetted presents the opportunity for student level data to be inappropriately exposed, shared, or in some cases sold.
Why can’t I just make fake names for student accounts?
A made up username or ID is simply another student identifier. It does not change the fact that the online digital tool may be collecting student level data and work that needs to be protected.
If a website or app doesn’t ask for a student’s name, can I use it?
All applications should be properly vetted to ensure any student level data collected is properly protected.
Many online applications say “Sign In with Google.” Aren’t those OK to use since our students have WPS Google accounts?
No, these applications also need to be vetted. Using a WPS Google Login does not ensure that the data remains in the WPS Google Domain.
How can we get more companies on board? In other words, what can teachers do to explain the importance of this and why companies should care?
Refer the companies to the WPS website as well as the Student Data Privacy Consortium, who’s goal is to engage vendors on this topic.
Why do we need to get approval to use some resources?
In order to ensure all student level data is properly protected all online applications need to be properly vetted by the OIT department.
What kinds of resources do I need to get approval for?
Any resource that a student interacts with needs to be approved.
How do I know if a resource has already be approved to be used?
All approved resources can be found here.
Are there any other schools/districts using an approval process?
Yes, this process is being replicated in 16 states and thousands of school districts.
Why can’t we just get a parent permission slip to be able to use any digital tool?
Parental consent is an option, be we consider this an option of last resort. Managing parental consent for all students and addressing replacement resources for students without parental consent can be a hinderance.
What is the first step of our approval process?
First, check if the resource already has an agreement on our Digital Resource List. If the resources is not already on the list with an approved agreement, submit a help desk ticket or email the Director of Technology & Digital Learning.
How long will it take to get a resource approved?
This depends on how responsive the vendor is as well as any issues that may exist in the vendor’s student data protection strategies. The entire process could take days or up to a year.
How can I check the status of an approval request?
Contact the Director of Technology & Digital Learning.
Am I able to use the application while waiting for approval?
No.
What do I do if a resource I requested declines to sign our privacy agreement?
OIT will help you seek out an alternative application that meets your needs and adequately protects student data privacy.
Why does it take so long to get a data breach agreement signed sometimes?
There are many reasons that might drag out the process. These may include;
- The Vendor business model - especially for free applications - leverages the re-use of student level data for profit.
- Vendor has no legal resources to review document
- Vendor refuses to consider separate agreement
- The resource has flaws that expose student level data
What if I’ve already been using the resource with students and didn’t know it wasn’t approved?
Contact OIT and we will assist.
What if I’ve paid for the resource?
Same process applies for teacher paid resources, District paid, or free resources.
If a student wants to use an unapproved resource for an individual project (when students are allowed to choose how they present their work, for instance), and the parent approves, is that okay? In other words, if I’m not requiring or encouraging the resource’s use, can a student choose to use it on school equipment?
Not without written parental consent.
Thank you to Steve Smith and the Cambridge Public Schools ICTS Department for providing most of the information for these FAQs.