Advances in technology present opportunities to improve student learning, allow teachers and students to work more efficiently, and reduce operational costs for educational institutions. Many schools are taking advantage of these benefits by implementing online course systems and cloud computing services that allow students and teachers to access their programs, e-mails, and documents online from anywhere and almost any device.
As a New York Times article published earlier this week also highlighted, the embrace of educational cloud services also raises interesting and important questions about the privacy and security of student data. After all, these services by definition involve the movement of student and teacher communications, documents, or other data that used to be stored on-site and managed by school employees to the cloud. Cloud computing services are operated by third-party vendors, and these vendors have a range of business models and practices with respect to the collection, use and disclosure of data.
As they work to safeguard student data without inhibiting the benefits of educational technologies, we find that educational institutions increasingly are focusing on regulatory requirements and contractual protections for student data — and in particular five principles that we describe after the jump.
At the federal level, the Family Educational Rights and Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Act (“COPPA”) govern the privacy of student data when educational institutions engage cloud service providers.
- FERPA generally prohibits the disclosure by schools of personally identifiable information from a student’s education records, unless the educational institution has obtained signed and dated written consent from a parent or eligible student or one of FERPA’s exceptions applies.
- COPPA, in contrast, governs operators of websites and online services that are directed to children under the age of 13 and operators of general audience websites or online services that have actual knowledge that a user is under 13. Notably, the Federal Trade Commission has clarified that if an educational institution contracts with a cloud service provider that uses the students’ data for advertising or marketing purposes, then COPPA is triggered.
- Some state governments and local school districts have other requirements or policies in place that must be followed. For example, Maryland regulations restrict third-party access to student records, unless necessary to serve “legitimate and recognized educational ends.” Md. Code Regs. 13A.08.02.04.
Aside from ensuring regulatory compliance, educational institutions may look to contractual protections to ensure proper stewardship of student data in the cloud. Indeed, the Department of Education itself has encouraged educational institutions to view FERPA as a floor and not a ceiling. Another public sector actor, the International Association of Chiefs of Police, has issued guidance suggesting that members require by contract that “[t]he cloud provider should not capture, maintain, scan, index, share with third parties, or conduct any other form of data analysis or processing of law enforcement data for such purposes as advertising, product improvement, or other commercial purposes.” Given their role in safeguarding student data, schools may embrace similar contractual norms.
While educational institutions should always consult with counsel when evaluating their legal obligations or the terms of a cloud services agreement, we understand that many institutions are taking into account the following principles:
- Maintain control of student data. The exception under FERPA that is relied upon to allow disclosure of data by schools to their cloud service providers―known as the “school official” exception― applies only if the cloud service provider remains under the “direct control of the educational institution” with respect to the use and maintenance of education records. The concept of “direct control” is not specifically defined in FERPA, but it is interpreted to encompass imposing restrictions via contract on the service provider’s conduct. In particular, educational institutions may elect to define key terms in their cloud service contracts (such as the definition of an “education record” and what is “personally identifiable information” versus “non-personally identifiable information”), rather than providing the service provider discretion to interpret these terms. Additionally, direct control anticipates that the educational institution will clearly specify in the contract what the cloud service provider can and cannot do with student data.
- Expressly prohibit the mining of student data for advertising and marketing purposes. Here again, for purposes of FERPA the cloud service provider acts as a “school official” in its receipt of student data. Just as a school administrator or teacher wouldn’t track a students’ classroom communications, homework, and educational interests for advertising or marketing purposes, schools expect that their cloud service providers will not engage in such activities. Express contractual terms preventing use of student data for marketing and advertising purposes can help to avoid any confusion or mishaps on this point.
- Enter into a comprehensive agreement covering all of the cloud services provided to the educational institution. Cloud service providers may offer different services to educational institutions, businesses, and consumers. The specific terms and conditions for one service might vary significantly from another service. This is often the case where a vendor offers some services under a negotiated or contracted arrangement with the institution and others under individual “click thru” terms to students and teachers as they access and use the service. As a result, schools may reasonably expect either (i) to have a negotiated contract or series of contracts that cover all services provided by the vendor to the school, or (ii) that the “click thru” terms of any services not covered by a negotiated enterprise contract meet applicable regulatory requirements and institution contracting norms.
- Consider how providers may use “anonymized” data. FERPA allows educational institutions to use or disclose de-identified data without consent. There are debates, however, concerning what it takes to de-identify data. Researchers repeatedly have discussed how individuals may be reidentified using large sets of “anonymized” data. Given these ambiguities, educational institutions may decide to prohibit any use of data that the cloud provider obtains in providing the service to the school―whether or not anonymized―other than uses specifically allowed by the contract.
- Conduct due diligence into the cloud service provider’s practices with respect to student data. Educational institutions are under pressure by parents and regulators to ensure that student and institution data is properly safeguarded. In discussing new technologies with parents and other stakeholders, educational institutions may be asked to answer key questions such as how the cloud service provider will collect, use, and disclose student data; whether teachers, school administrators, and parents are able to review and order deletion of the student’s data; the data security measures that the cloud service provider has implemented; and the cloud service provider’s data retention and deletion policies.