Student Privacy in the Online Setting
What Law Applies?
The Federal Family Education Rights and Privacy Act (FERPA) governs student data. FERPA requirements and HIPAA privacy rule requirements contain similar provisions governing privacy, access, and disclosure. However, in the school setting it is FERPA, rather than the HIPAA privacy rule, that applies to student information and student privacy. This includes information maintained by health-related service providers such as speech-language pathologists and occupational therapists when they are working for or on behalf of the school to provide services to students. More information about the application of FERPA and HIPAA to student health records is available from the U.S. Department of Education.
In Minnesota, the Minnesota Government Data Practices Act also governs student data, including parent notice and consent about sharing private data.
What Information Qualifies as Private Student Data?
FERPA requires that schools cannot disclose private data or personally identifiable information from a student’s education record without consent or an eligible exception. Education records means all records that are:
- Directly related to an individual student; and,
- Maintained by an educational agency (school) or someone acting for the school.
If the school is providing services to a student in a way that does not disclose private information from a student’s record, then FERPA does not apply. The law does not specifically define “directly related” or “maintained”, however, so schools must make their own local decisions about what those terms mean. The U.S. Department of Education has guidance documents that can help schools work through the process on its studentprivacy.ed.gov page, and school administrators will want to consult their legal counsel for additional guidance.
This FAQ about photos and videos may be especially useful when considering how to provide services in the context of working with students using online platforms.
What about working with a group of students?
Providing education services to a group of students in an online setting is similar to providing services in the school setting. If you would provide instruction or other services to a group of students at school, you can take the same factors into consideration in the online setting.
What about parents who may be present?
The U.S. Department of Education has long stated that FERPA neither requires schools to nor prohibits them from allowing a parent access to the classroom to observe their child. The reasoning is that FERPA’s requirement to protect private data applies to information either in or derived from a student’s education record; an educator may not disclose that information to other students, parents, or professionals in the classroom. But information about students that is based on what is happening more generally in the classroom is not necessarily subject to FERPA because it does not come from the student’s education record. Therefore, whether a parent may observe a classroom setting is a local decision, and educators should follow their local guidance about whether it is okay for parents to be present during a group education session. School administrators will want to consult their legal counsel for additional guidance.
What about notice and consent?
It is always a good idea to give parents information about your classroom practices and how those practices might impact student privacy, and the online setting is no exception.
If you think that private student data could be shared with others because of the platform you are using or the way that you are delivering services, then you will want to inform parents about that fact. You also may need to seek parent consent if any private data might be shared as a result of delivering services in an online setting.
If you are an educator, consult your school administrators for guidance about what you need to do.
What about other issues to consider?
While working in an online setting, the risk of inadvertently sharing information with someone other than the intended recipient increases. Following best practices will help you avoid inadvertent sharing of information.
Double check to ensure:
- You are sending what you intend to send (the right document and/or content).
- You are sending to the person you intend to receive the information.
- The intended recipient is authorized to receive the information.
- You are using a secure and/or encrypted method of communication.
What Factors Should I Consider when Selecting an Online Platform?
If the school has concerns that providing services via an online platform could contain and thus could reveal private data about students, then the school should use a platform which incorporates security measures to ensure that private data is encrypted and that it cannot be accessed by individuals who do not have authority to access the data. Taking these steps will help the school comply with both FERPA and the Minnesota Government Data Practices Act, which requires schools to protect private data with appropriate security safeguards.
Schools can also address privacy concerns by informing parents about the proposed services and platform for delivery and seeking parent consent.
School administrators may want to consider information in the Selecting an Online Platform for Student Services document for more guidance and resources.