PSBA 2022 January/February Bulletin PSBA 2022 January/February Bulletin - Page 47

it ’ s the law resulting from a breach . Therefore , it is the school district that must ensure that its contractors act in accordance with the laws in terms of student data .

it ’ s the law resulting from a breach . Therefore , it is the school district that must ensure that its contractors act in accordance with the laws in terms of student data .

In brief , school districts must evaluate each third-party provider they engage to determine if protected information is or will be implicated . Where it is implicated , school districts must ensure that the obligations ( notice and consent ) are met . That means that a school district must first obtain written consent from the parents ( or eligible student ) ( see 34 C . F . R . § 99.30 ) or ensure that the arrangement with the third-party provider meets one of FERPA ’ s exceptions . See 34 C . F . R . § 99.31 ( a ). Moreover , any personally identifiable information from a student ’ s education records that a provider receives under FERPA ’ s school-official exception may only be used for the specific purpose for which it was disclosed . 34 C . F . R . § 99.31 ( a )( 1 ). Thus , the school district must ensure that the provider does not use the FERPAprotected information for any other purpose . Finally , as FERPA provides parents and eligible students with the right to access information , ( 20 U . S . C .§ 1232g ( a )( 1 ); 34 C . F . R . §§ 99.10-99.12 ), whenever a third-party provider will maintain a student ’ s education records , the school district must ensure that it retains the ability to provide a requesting parent ( or eligible student ) with access to those records as well .
Because school districts are ultimately responsible to ensure that the third-party contractors adhere to these conditions , it is incumbent upon the school districts to ensure that these terms are stated in written agreements with their third-party contractors , clearly setting forth the terms of the relationship : what student information may be collected , what can be done with the information , with whom it may be shared and what the respective responsibilities are in terms of such matters .
In addition , it is important for the school districts to inspect online providers ’ “ terms of service ” agreements whereby users indicate “ agree ” in order to access the services or applications at issue . School districts need to scrutinize those agreements to ensure that they are consistent with the legal requirements discussed herein and do not unlawfully request the waiver of such rights on the part of a school or a student / parent . School districts that require parents or students to accept a third party ’ s terms of use must ensure that the terms are FERPA-compliant . Any “ forced waiver ” of FERPA rights utilized by a contractor of the school district would be a violation of FERPA * and subject the school district to potential legal consequences . 20 U . S . C .§ 1232g ( f ),( g ); 34 C . F . R . §§ 99.60-99.67 . Indeed , in this era of social media , a violation of FERPA may lead to significant reputational harm to the school district and the administrators or school board directors deemed responsible , on social media .
It is permitted under COPPA for third-party operators of commercial websites and online services offering online programs for students to get consent from the school rather than from the parent , but such operators must provide the school with all the notices normally required under COPPA . See Federal Trade Commission ( FTC ) COPPA FAQs , Section N . Prior to contracting , the school district should review privacy and security policies in terms of best practices , and ascertain how such information will be collected , maintained , used and disclosed to determine whether their privacy and information practices are appropriate . The Federal Trade Commission has interpreted COPPA to allow schools to exercise consent on behalf of parents , limited to the educational context – where the operator collects personal information from students for the use and benefit of the school – and for no other commercial purpose . Id . However , if an operator intends to use or disclose children ’ s personal information for its own commercial purposes in addition to the provision of services to the school , the operator must first directly obtain parental consent . The school district should review the operator ’ s collection , use and disclosure practices , so that the school district may make an informed decision .
So what should be in contracts with third-party service providers that will have access to protected student information ?
The short answer is that the agreement should expressly and explicitly reflect the school district ’ s obligations in terms of student / parent privacy , notice and access . In addition to outlining the exact services to be provided , the agreement should describe and define the data in question , how the provider may use that data , and whether and upon what terms the provider may share such information and with whom . More specifically , agreements should clearly state that contractors may only use the information entrusted to them for the purposes the school district provided it to them , and ensure that the information is not shared or disclosed to others unless consented by the student / parent or one of the legal exceptions applies .
In particular , the contract should expressly state that the contractor will comply in all respects with FERPA , and shall keep all student records strictly confidential , not disclose any student records or information except as specifically permitted , not take any student records or upload any student records , and promptly return any student records in its possession upon request , and cooperate with the school district in such matters .
The U . S . Department of Education ’ s Privacy Technical Assistance Center ( PTAC ) recommends the following considerations :
• In terms of student data , the agreement should include a broad definition to encompass a range of information to which the provider may have access . Moreover , terms such as “ Educational Records ,”
January / February 2022 PSBA Bulletin 45