Online Learning During COVID-19: FERPA Considerations
Cybersecurity and Privacy Alert
This is the third alert in a series of Bradley installments on privacy and cybersecurity issues that may arise during the current COVID-19 pandemic. This installment focuses on privacy concerns related to schools and universities moving to a remote learning structure. Click to read the first and second installments.
In dozens of states, hundreds of K-12 schools, colleges, and universities are switching to remote learning to slow the spread of COVID-19. However, moving to an online classroom environment comes with its own set of challenges, including privacy concerns.
One such concern is the Family Educational Rights and Privacy Act (FERPA). FERPA is a federal law that gives parents of minor students certain rights with respect to their children’s education records. These rights include the right to inspect and review records; the right to seek amendment of records; and the right to control (to some extent) the disclosure of the records themselves or personally identifiable information within those records.
FERPA defines education records as “records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution.” FERPA applies to both written and digital records. These rights belong to the parent until the student turns 18, upon which time the rights pass to the student.
As schools scramble to find online learning resources and alternative instruction, consideration should be given to how personal information, assessments, or other data collected or used by outside learning applications and resources will be deemed records under FERPA.
FERPA applies to “an educational agency or institution to which funds have been made available under any program administered” by the Department of Education. These funds include any “grant, cooperative agreement, contract, subgrant, or subcontract;” and/or any funds provided to “students attending” the institution that are then paid to the institution, such as Pell Grants and the Guaranteed Student Loan Program. This includes any institution that provides “education services or instruction” or is “authorized to direct and control public elementary or secondary, or postsecondary educational institutions.”
Guidance on Use of Outside Learning Resources
Schools considering the switch to online learning should look to the 2015 guide from the U.S. Department of Education when determining what additional measures should be taken pursuant to FERPA. The guidance specifically addresses the use of third-party service providers under FERPA. To make the most of this guidance, schools may need to answer a few questions up front. For example, do the third-party service providers require personally identifiable information from students’ education records in order to deliver the agreed-upon services? If so, FERPA may permit the disclosure of such records, subject to additional qualifications and requirements. The third-party must (1) perform an institutional service or function for which the school would otherwise use employees; (2) meet the criteria set forth in the school’s annual notification of FERPA rights for being a “school official” with a legitimate educational interest in education records; (3) be under the direct control of the school regarding the use and maintenance of the records; and (4) must use the records only for the authorized purposes and may not disclose such records to other parties, unless given specific permission or authorization (see 34 CFR § 99.31(a)(1)(i)).
When personally identifiable information from education records is disclosed to the provider, FERPA still governs its use, and the school remains responsible for its protection. Additionally, schools should require transparency about how student data obtained or collected under a contract or agreement is used, plans for data security and confidentiality of personally identifiable information, and evidence that the school or district will retain direct control of the use and maintenance of the records.
As schools ramp up virtual classrooms, encourage parents to use third-party educational resources, and allow the use of digital applications, privacy and regulatory compliance considerations need to be front and center. Although this crisis is forcing schools to consider the effects of virtual learning on privacy and legal obligations, virtual education needs are likely to continue well past this current pandemic.