The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of students’ education records. Under FERPA, school officials can’t release student data to third parties without signed consent from the parent (if the student is under 18 and not in college) or eligible student (who is at least 18 years old or attending an institution of higher learning).
FERPA defines “education records” as any information containing data that relates directly to a student the school or a third-party provider working for that school maintains. This definition includes everything from grades to behavioral assessments and more. Essentially, if there’s data that concerns a student — and it includes identifying information that links that information to its subject — the record is protected under FERPA.
So what does this mean for online education? At a time when classrooms are going increasingly virtual, it can be hard to understand how FERPA intersects with data transfers that are common in virtual instruction. Here are a few things every teacher, school official, and parent should know about FERPA and online learning.
1. Digital files that contain student data are subject to FERPA’s rules
Moving your classroom online doesn’t change a student’s right to privacy under FERPA. The law doesn’t differentiate between paper files and digital records — including audio and video recordings — says LeRoy Rooker, a senior fellow at the American Association of Collegiate Registrars and Admissions Officers (AACRAO).
The rules set forth by FERPA are “technology-neutral,” Rooker says. “You just have to make sure that whatever you have works” to protect student data.
2.Your institution — not the vendor — is on the hook if the online-learning tools you use don’t comply with FERPA
Using digital tools and services complicates FERPA compliance, whether you’re using a class website, a videoconferencing app, or JotForm’s online education forms. No matter who’s handling student data, the school is ultimately responsible for protecting that data in compliance with FERPA.
“If a vendor causes an institution to violate FERPA, the Department of Education will investigate the institution, not the vendor,” Rooker says. “Institutions need to know that vendors are not going to create a problem for them.”
The AACRAO provides vendor product reviews, evaluating digital tools to make sure they protect user data in a FERPA-compliant manner. For eligible products, the AACRAO will issue a letter of verification that confirms the product complies with FERPA’s data protections.
3. Your institution should know whether an online educational service handles protected student data before using it
The services teachers use to run online classrooms vary widely. These may include (but are not limited to)
- Videoconferencing software
- Apps that give students access to educational texts
- Video playback sites
- Classroom message boards
- Homework submission forms
Before using any of these services, school officials should find out whether they’ll need to share FERPA-protected data on them.
If the services don’t collect students’ personal identifiable information, they’re generally safe to use from FERPA’s perspective. Put another way, if students aren’t logging into an application, it’s unlikely anyone is sharing protected information. For example, a teacher can post a video on a classroom website; if the students don’t need an account to view that video, there’s little chance anyone is sharing their data.
On the other hand, if students need to create an account for a digital tool — for instance, an online system that provides access to class materials — it’s likely that you’ll need to send students’ protected personal identifiable information to the vendor. In that case, you’d need signed consent to avoid violating FERPA.
4. You have to authenticate the user to share education records with a student or parent through an online system
Online self-service tools are a big part of online learning. A student may log into a website to access homework assignments, or the parent may want to check a student’s grades. But how can you be sure the user who logs on is actually the student or parent?
The Department of Education requires school officials to provide a “reasonable expectation of authentication” in these cases, Rooker says. This verification information can’t simply be a name and social security number, birthdate, or mother’s maiden name, so many typical password systems are insufficient for FERPA compliance.
“Institutions do it in different ways,” explains Rooker. “One requires a notarized copy of the student’s driver’s license, which tells them someone has authenticated that person’s identity. Some may have the student physically visit the registrar and show a driver’s license. Others do a Skype call and have the student hold up their driver’s license. All of those are reasonable, but simply accepting random pieces of information that are easy to obtain is not reasonable.”
- Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices
- Protecting Student Privacy While Using Online Educational Services: Model Terms of Service
- FAQs on Photos and Videos under FERPA
- Email and Student Privacy (video)
As the 2020 pandemic began to unfold, school closures impacted at least 55 million students across the United States, forcing many classrooms to move online quickly. Even before this happened, about 20 percent of traditional public schools offered full online courses. It’s clear that virtual education is here to stay — and understanding how FERPA and online learning interact is crucial to safe, successful online learning.