Without careful management, 3rd party apps can present a threat to student data privacy
The spotlight is on privacy during the month of January, with Data Privacy Day falling on January 28, 2021. For educators and administrators alike, it’s a month to focus on student data privacy issues and using data loss prevention methods to protect students whether they’re in the classroom or learning remotely. District IT teams also need to address problems that relate to student data privacy and 3rd party apps.
Student Data Responsibilities Under FERPA for 3rd Party Apps
The U. S. Department of Education created the Privacy Technical Assistance Center (PTAC) as a resource for education stakeholders. The Center provides information about data privacy, confidentiality, and security practices to protect Personally Identifiable Information (PII) in education records. The Center has published guidelines for sharing PII with 3rd party vendors.
The Family Educational Rights and Privacy Act (FERPA) is perhaps the most significant of the Federal data loss prevention regulations when it comes to protecting student data collected, stored, and shared by schools. FERPA defines education records as
“records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3). These records include, but are not limited to, transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records. It is important to note that any of these records maintained by a third party acting on behalf of a school or district are also considered education records.”
FERPA also defines the term personally identifiable information (PII) to include:
…”direct identifiers (such as a student’s or other family member’s name) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name). Indirect identifiers, metadata about students’ interaction with an app or service, and even aggregate information can be considered PII under FERPA if a reasonable person in the school community could identify individual students based on the indirect identifiers together with other reasonably available information, including other public information.”
The key point is that FERPA holds schools and districts responsible for protecting the PII in education records. FERPA continues to govern PII when it’s shared with 3rd party vendors, and schools and districts are still held responsible for its use by vendors.
Are 3rd Party Apps Putting Student Data Privacy at Risk?
The use of 3rd party EdTech is widespread and there are many EdTech security risks that teachers, students, and even many IT admins are not aware of. This is because much of today’s EdTech is connected to various different information systems, either through OAuth or other integrations. OAuth risks can create a “back door” type openings for both malicious and accidental student data loss.
Additionally, the fact that many students are now learning virtually has increased remote learning security risks. The onslaught of free remote learning resources that started in March as a result of the coronavirus lockdowns overwhelmed many IT admins, and still have the potential to present data privacy and security risks to students, staff, and schools.
Google apps are an example of the challenges districts face. Google has a history of privacy violations. These include:
- In 2011, Google reached an agreement with the FTC that restricts Google from misrepresenting its privacy policies.
- In 2012, Google was fined $22.5 million for violating that agreement.
- In 2013, a lawsuit resulted in a Google spokesperson confirming that it scans and indexes the emails of all Google Apps for Education Users. One of the things Google uses that information for is advertising. Advertisements don’t appear as students are logged in to G Suite, but it’s not clear how Google uses the information they collect.
- In 2019, the FTC announced that Google would pay $170 million for alleged violations of the Children’s Online Privacy Protection Act (COPPA) by its YouTube subsidiary.
- Most recently, New Mexico’s attorney general sued Google for its alleged misuse of student data.
In addition to Google, there are more than 500,000 educational apps, and many teachers are using them in their classrooms. While many apps are useful and safe, the sheer number of them poses a risk to student data privacy, and a potential nightmare for school districts across the country. District IT teams need to pay close attention to their responsibility to protect those privacy rights.
6 Best Practices for K-12 Schools Managing Student Data Privacy and 3rd Party Apps
District IT teams can take control of the student data privacy and 3rd party apps issue. There are a set of best practices that can help you maintain that control.
1. Create Policies for Approving 3rd Party Apps
Outline the basic criteria that your IT team uses to evaluate and approve 3rd party apps. You’ll also need to get buy-in from district leadership. Educate them on why managing 3rd party apps is critical and get their assurance that they will support your efforts.
Once you have that agreement, publish your policies to your teachers to help them understand the process that they should use to obtain approval for school use of 3rd party apps and why it’s so necessary to control approving those apps. Publish the basic criteria to your teachers to let them know what they need to look for before proposing a 3rd party app for school use.
2. Use Well-Defined Evaluation Criteria for Approving 3rd Party Apps
When your team evaluates a request for approving a 3rd party app, you should consider a range of compliance criteria, including questions such as:
- Is there a reasonable educational purpose for using this app?
- Is the app from a reputable company/app developer?
- What app permissions are required?
- What data is collected and how is it stored?
- Is the vendor FERPA and COPPA certified?
3. Formalize Your Evaluation and Approval Process
This approval process shouldn’t be conducted informally because you’ll need a record of your decisions. Many districts use an online form to allow teachers to submit apps for review and approval. They also schedule regular meetings on a monthly or quarterly basis to approve or deny applications submitted by faculty.
Create an EdTech vendor security & compliance evaluation process that works for your district, and then share it with your stakeholders. Let them know what their role is in the process, and when a decision about an app request will be available.
4. Ensure that Software Settings are Properly Configured
Take a look at how you control 3rd party apps now. If your district uses Google for Education and/or Microsoft 365, make sure that their settings are configured to provide the highest reasonable level of security.
For example, you can use the App Access Control feature in the Google Admin Console to do things such as restrict access to most G Suite services and to “trust” specific apps to allow access to restricted G Suite services.
If you use Microsoft Office 365, you probably need to do more than trust that users will read the permissions for apps they want to use or understand which apps should be allowed access. The App Permissions feature allows you to identify the apps that have access to Office 365 data, the level of permission assigned, and the users who approved access.
While you won’t have control over approving or removing apps without advanced coding, you can use the Office 365 Advanced Security Management feature to take advantage of the controls you can access.
5. Learn from Others
Many states have enacted laws that strengthen requirements for evaluating and using 3rd party apps in education.
If your state is one of them, you can use those laws to fashion your own controls. If your state isn’t one of them, reach out to IT leaders in states that have passed those laws to learn how they’re setting up their policies, evaluation processes, and more.
6. Automate the Process of Sanctioning and Unsanctioning 3rd Party Apps
Many district IT teams now use automated tools to set up criteria for sanctioning and unsanctioning 3rd party apps, which allows the tools to manage those two processes automatically. You can set up some of this process in the Google Admin Console, but the procedures to accomplish it are a bit heavy-handed.
Automating 3rd party app management saves IT admins a significant amount of time and it helps keep district data secure and student data private.
As we continue to focus on student data privacy, keep in mind that FERPA places the responsibility for protecting PII data on the schools and districts, even when it is supplied to a 3rd party. While controlling 3rd parties can be a challenge, the apps they provide can be critical to the education process. Following best practices for managing 3rd party apps will help you meet your responsibility under FERPA and keep your students safe.