it ’ s the law resulting from a breach . Therefore , it is the school district that must ensure that its contractors act in accordance with the laws in terms of student data .
In brief , school districts must evaluate each third-party provider they engage to determine if protected information is or will be implicated . Where it is implicated , school districts must ensure that the obligations ( notice and consent ) are met . That means that a school district must first obtain written consent from the parents ( or eligible student ) ( see 34 C . F . R . § 99.30 ) or ensure that the arrangement with the third-party provider meets one of FERPA ’ s exceptions . See 34 C . F . R . § 99.31 ( a ). Moreover , any personally identifiable information from a student ’ s education records that a provider receives under FERPA ’ s school-official exception may only be used for the specific purpose for which it was disclosed . 34 C . F . R . § 99.31 ( a )( 1 ). Thus , the school district must ensure that the provider does not use the FERPAprotected information for any other purpose . Finally , as FERPA provides parents and eligible students with the right to access information , ( 20 U . S . C .§ 1232g ( a )( 1 ); 34 C . F . R . §§ 99.10-99.12 ), whenever a third-party provider will maintain a student ’ s education records , the school district must ensure that it retains the ability to provide a requesting parent ( or eligible student ) with access to those records as well .
Because school districts are ultimately responsible to ensure that the third-party contractors adhere to these conditions , it is incumbent upon the school districts to ensure that these terms are stated in written agreements with their third-party contractors , clearly setting forth the terms of the relationship : what student information may be collected , what can be done with the information , with whom it may be shared and what the respective responsibilities are in terms of such matters .
It is permitted under COPPA for third-party operators of commercial websites and online services offering online programs for students to get consent from the school rather than from the parent , but such operators must provide the school with all the notices normally required under COPPA . See Federal Trade Commission ( FTC ) COPPA FAQs , Section N . Prior to contracting , the school district should review privacy and security policies in terms of best practices , and ascertain how such information will be collected , maintained , used and disclosed to determine whether their privacy and information practices are appropriate . The Federal Trade Commission has interpreted COPPA to allow schools to exercise consent on behalf of parents , limited to the educational context – where the operator collects personal information from students for the use and benefit of the school – and for no other commercial purpose . Id . However , if an operator intends to use or disclose children ’ s personal information for its own commercial purposes in addition to the provision of services to the school , the operator must first directly obtain parental consent . The school district should review the operator ’ s collection , use and disclosure practices , so that the school district may make an informed decision .
So what should be in contracts with third-party service providers that will have access to protected student information ?
The short answer is that the agreement should expressly and explicitly reflect the school district ’ s obligations in terms of student / parent privacy , notice and access . In addition to outlining the exact services to be provided , the agreement should describe and define the data in question , how the provider may use that data , and whether and upon what terms the provider may share such information and with whom . More specifically , agreements should clearly state that contractors may only use the information entrusted to them for the purposes the school district provided it to them , and ensure that the information is not shared or disclosed to others unless consented by the student / parent or one of the legal exceptions applies .
In particular , the contract should expressly state that the contractor will comply in all respects with FERPA , and shall keep all student records strictly confidential , not disclose any student records or information except as specifically permitted , not take any student records or upload any student records , and promptly return any student records in its possession upon request , and cooperate with the school district in such matters .
The U . S . Department of Education ’ s Privacy Technical Assistance Center ( PTAC ) recommends the following considerations :
• In terms of student data , the agreement should include a broad definition to encompass a range of information to which the provider may have access . Moreover , terms such as “ Educational Records ,”
January / February 2022 PSBA Bulletin 45