At the start of the COVID-19 pandemic, K-12 school districts had no other choice but to sprint head-first into using cloud technology and embrace remote/hybrid learning. Even today, with in-person classrooms back to normal, educators are still leaning heavily on cloud-based education technology.
In fact, according to our own research in collaboration with EdWeek, 94% of school districts are now storing data in cloud domains like Google Workspace and Microsoft 365. But with more third-party vendors processing personal information and education data, student data privacy has emerged as one of the leading concerns throughout the industry.
By the same token, data privacy laws are more relevant than ever before. Whether you’re a high school, middle school, or elementary institution, one thing is for certain: Protecting student privacy is your legal responsibility. Unfortunately, that’s easier said than done.
Let’s explore the importance of student data privacy and how three student privacy laws apply to your school district. Then, we’ll show you how to keep student records safe in your cloud environment.
The basics of data privacy
What is student data privacy? In simple terms, it refers to the process of keeping sensitive student information classified to those without the proper authorization to access it.
It sounds awfully similar to data security — and for the most part, it is — but the key distinction is that data privacy is concerned with confidentiality. On the other hand, data security also includes any and all efforts to protect student information from malicious exposure, such as through a data breach. All this said, you can’t have one without the other, as they tend to go hand-in-hand.
So, why is protecting student privacy such an issue? The short answer is simple: School districts are a hive of sensitive data — the type that cybercriminals are buzzing to get their hands on. And to make matters more complicated, schools are trusting their student records to education technology providers, whose cloud products process and store information for the district.
Where data collection is concerned, your school district (and its vendors) may be processing the following:
- Personally identifiable information (PII): Social Security numbers, names, addresses, etc.
- Education records: Grades, transcripts, class schedules, class rosters, etc.
- Medical information: Student medical histories, allergies, and disabilities.
- Family financial data: Payment card industry information, bank accounts, etc.
- Third-party data: Log-in credentials and metadata.
In a vacuum, there’s nothing wrong with data collection. It comes with the territory of using an online service. What’s more concerning, however, is how vendors use individual student data once it’s collected. The majority of K-12 parents believe this is important. In fact, 93% of parents want schools to engage with them about the use of student information, according to the Center for Democracy and Technology.
Unfortunately, most parents don’t get much say in how their children’s data is used. Although cloud vendors have data privacy agreements, there’s still no telling what might happen. Exposing student records can have drastic consequences, including identity theft, fraud, or even stalking.
3 data privacy laws and how they impact your district
The good news is that there are several federal student data privacy laws designed to keep personal information under wraps. Each one is a little different, but all are highly relevant for your school district.
1. FERPA
FERPA stands for the Family Educational Rights and Privacy Act. Since 1974, FERPA has protected the privacy of student education records. Specifically, it gives parents the right to access their child’s education record and to have some control over its disclosure. This legislation applies to all educational institutions and agencies that receive federal funding.
Critics of FERPA argue that the law is too loose in its privacy protections. For instance, FERPA makes it possible for schools to share student information with vendors without parental consent. However, it does require districts to restrict the access, use, and sharing of that data.
FERPA primarily protects education records. According to Netwrix, the bill addresses three types of data:
- Personally identifiable information: Any record through which an individual student can be identified (see examples above).
- Directory information: Student names, addresses, phone numbers, and dates of attendance.
- De-identified data: Information from which PII has been removed.
Violating FERPA can result in the loss of federal funding. However, no school district has ever been penalized in the bill’s nearly 50-year history. Consequently, many argue FERPA needs to be strengthened in the future.
![[FREE] Google Workspace and/or Microsoft 365 Security Audit. Learn More & Claim >>](https://no-cache.hubspot.com/cta/default/6834707/25278544-250d-4265-b25f-0c160bf67707.png)
2. PRPA
The Protection of Pupil Rights Amendment (PRPA) is a federal education law that requires school districts to follow certain rules when administering surveys and evaluations that deal with sensitive information. PRPA also limits the disclosure and use of this information for marketing purposes. Whereas FERPA applies to information the school district already has on record, PRPA protects data schools don’t have but can collect via surveys.
This legislation is specifically concerned with personal information. According to the amendment, this includes the student’s and/or the parent’s first and last name, their home address, telephone number, and Social Security number. PRPA also prohibits questions about sensitive topics, such as religious practices or political affiliation, without the consent of a parent.
Violation of the PRPA can result in a loss of federal funding.
3. COPPA
COPPA stands for the Children’s Online Privacy Protection Act. Signed into law in 1998, COPPA’s purpose is to impose specific requirements on website and online service operators for protecting the privacy of children under 13. Notably, this also includes edtech providers.
The law requires operators to gain parental consent before collecting PII from children. It also mandates that all providers maintain a clear privacy policy and post a link to it on every page where personal information is collected. COPPA requires vendors to have reasonable data security procedures and only disclose information to parties capable of maintaining its confidentiality.
Contrary to FERPA and PRPA, COPPA forbids the collection of first and last names, addresses, online contact information, and other personal identifiers. Violating the bill can result in a $40,000 fine handed out by the Federal Trade Commission.
State data privacy laws
It’s important to remember that every state may also apply its own unique data privacy laws to school districts and operators within its jurisdiction.
Amelia Vance, vice president of youth and education privacy at the Future of Privacy Forum, tells K-12 Dive that states have introduced more than 1,000 student privacy laws across the country. Since 2014, about 130 have been enacted.
Take Texas, for instance. In 2019, the state passed Senate Bill 820 — a sweeping piece of legislation that requires school districts to develop and maintain a data security framework. Later in January 2020, New York passed regulations designed to guide schools and their third-party vendors on strengthening their data privacy and security policies.
Suffice to say, student data privacy laws seem to be gaining momentum. If the past few years are any indication of what’s to come, school districts should expect their state to take a renewed interest in data security and privacy moving forward.
Common data privacy challenges
While it’s obvious that protecting student privacy is important, it certainly isn’t easy. Keeping tabs on your school network and its many devices is already hard enough. When you throw third-party cloud applications into the equation, things get even more complicated.
Remember, the vast majority of school districts operate in the cloud. By comparison, very few have adequate cloud security measures in place. In fact, Edweek Research found that only 1 in 5 school cybersecurity budgets are allocated for securing student information stored in the cloud.
That’s a problem. Why? Because it means 80% of schools lack any ability to effectively monitor and protect student information. Yes, cloud vendors like Microsoft and Google offer built-in data loss prevention (DLP) capabilities, but these tools only give you a rough idea of what’s going on behind the scenes. Without proper cloud visibility, IT administrators are blind to the risks that fly in, out, and around their district’s domain.
Another noteworthy issue is that schools face a lack of resources. There’s only so much that a small team of IT professionals can do when it comes to protecting thousands of individual student records. Too often, investigating a risk means combing through cloud data by hand, delaying, and complicating the incident response process.
These challenges make it difficult — if not impossible — to spot the threats targeting your students’ personal information. You need to know exactly how and when data is exposed. Generally, this happens in one of two ways: internally and externally.
Internal data loss
Data loss is always a tough pill to swallow, especially when it could’ve easily been prevented with a little due diligence. According to the Government Accountability Office, 25% of all school data leaks are accidental. What’s more, 84% of accidental leaks are caused by school staff members.
In other words, you need to make sure that students and staff are handling sensitive information appropriately. For instance, a teacher may mistakenly attach a student’s grades to an email meant for an entire class. Or, a student might unwittingly share their Social Security number with someone when using a school-provided cloud product, such as a Google Doc or Google Chat. In either case, both parties should understand what’s safe to share with others and what needs to be closely guarded.
External data loss
On the other hand, many external factors can put student information in jeopardy, both accidentally and maliciously.
Perhaps the most well-known threat to student data is the inevitability of a cyberattack. Unfortunately, cybercriminals frequently target the education sector. From ransomware and malware to phishing attacks and typosquatting, districts have their hands full with potential threat vectors. According to the K-12 Security Information Exchange (K12 SIX), security risks are steadily rising.
However, school districts also need to be wary of their third-party vendors. Cloud providers may offer beneficial products and services, but if their data security practices are faulty, it can spell doom for your district. When you trust sensitive information to a third party, you also trust their defenses to keep that data away from prying eyes.
But what’s also concerning is how some edtech tools use student data for their own gain, such as for marketing purposes. Risky vendors may even create profiles out of this information and use it to send targeted advertisements to their users.
Protecting student data with a CASB solution
Luckily, school districts aren’t on their own. With the help of an automated solution, such as a cloud access security broker (CASB), protecting student privacy doesn’t have to be painful or tedious.
CASB is a term used to describe a type of cloud security tool designed to secure access to information stored in your district’s cloud apps (like Google Workspace, Microsoft 365, and others). Think of it like a checkpoint placed between your users and cloud service providers that interjects security policies when cloud data is accessed.
ManagedMethods, for instance, is a platform that automates data loss prevention, threat protection, and cloud monitoring. With customizable policies, you can set parameters around how data should be accessed, stored, and shared in the cloud. When a policy violation occurs, such as if someone mistakenly shares personal information, you’ll be notified right away. This allows you to jump into action, investigate the incident, and mitigate the situation as quickly as possible while adhering to your state and federal student data privacy laws.
