Keeping students’ data safe from prying eyes and malicious actors isn’t as simple as it used to be.
Students are constantly engaging online with each other, teachers, and educational platforms. Since the Covid pandemic, education has become even more digitized, and the threat has only expanded. More than 90% of students carry personal laptops and smartphones, according to a study by EDUCAUSE, which makes things almost impossible to govern. School campuses can be large, which means that there are more people to protect and more who need to follow best practices online.
According to studies, there have been more than 1,332 data breaches in education in 2021 alone, of which 344 lead to data losses. Social engineering is one of the biggest culprits, along with email compromise.
But how do schools regulate what websites can be visited and what data is disclosed?
Schools and other state and local authorities in the education sector hold incredibly detailed student information—from financial aid to education records to healthcare data— in preparation for health and safety emergencies.
Information security laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Family Educational Rights and Privacy Act (FERPA) all apply to educational institutions that collect personal data. Not complying with these regulations can result in severe penalties and legal action.
There may also be reputational damage to consider. If education records or personally identifiable information (PII) is leaked, there will be a huge fallout from which some schools never recover… as was the case with Lincoln College—a private school based in Illinois that closed permanently following a ransomware attack in 2022.
There are three main privacy laws designed to protect the rights of students. Each is administered by different branches of the federal government.
Let’s take a closer look at each one:
Enacted in 1974, the Family Educational Rights and Privacy Act stands as a cornerstone in safeguarding the privacy of student education records within educational institutions across the United States.
It was enacted to ensure that sensitive student information remains protected. FERPA grants certain rights to parents until the student reaches the age of 18 or attends post-secondary education, at which point these rights transfer to the student themselves, termed as “eligible students.”
The applicability of FERPA extends broadly to educational institutions and agencies that receive federal funding from the U.S. Department of Education. Under FERPA, student education records encompass a wide array of information directly related to the student and maintained by the educational institution. These records include but are not limited to academic transcripts, disciplinary records, and special education files, covering students who are part of the Individuals with Disabilities Education Act (IDEA) program.
However, certain records fall outside the purview of FERPA, such as law enforcement unit records maintained by school resource officers and other law enforcement authorities.
Despite stringent privacy protections, FERPA does outline specific scenarios where educational institutions may disclose student records without explicit consent. These include compliance with court orders or subpoenas, requests from school officials with legitimate educational interests, and circumstances involving health and safety emergencies.
FERPA also permits the release of directory information—non-sensitive details like a student’s name, address, and dates of attendance—without necessitating consent, albeit educational institutions must notify parents and eligible students about directory information and offer an opportunity to opt-out.
To ensure compliance with FERPA regulations, educational institutions bear the responsibility of informing parents and eligible students annually about their rights under the law. This may be accomplished through various means, such as student handbooks, PTA bulletins, or other school-wide announcements. Institutions must provide mechanisms for parents and eligible students to request the non-disclosure of directory information.
Complying with FERPA requires specific actions from schools, including:
This not only protects students but fosters an environment of trust and openness.
Educational stakeholders can turn to resources provided by the Department of Education, including the Protecting Student Privacy website or watch the video below.
The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998. It’s overseen by the Federal Trade Commission (FTC) and aims to safeguard the online privacy of children under the age of 13. Unlike FERPA, which primarily concerns student educational records, COPPA targets the collection of personal information from minors in the online realm.
COPPA mandates several key regulations to protect children’s privacy online. First and foremost, website operators and online service providers must obtain verifiable parental consent before gathering any personal information from children under 13. This consent requirement serves as a safeguard against the unauthorized collection and use of minors’ sensitive data.
COPPA also requires that websites and online platforms hosting content targeted toward children have to maintain clear and comprehensive privacy policies. These policies must outline the types of information collected, how it will be used, and any third parties with whom it may be shared. That way, parents can make informed decisions regarding their children’s online activities. COPPA provides provisions allowing schools to act as proxies instead of parents, provided that the platform is solely used for educational activities and not for commercial purposes.
COPPA mandates that collected information be securely stored and protected from unauthorized access or disclosure. This measure helps mitigate the risk of data breaches and identity theft, safeguarding the personal information of young users.
COPPA’s scope extends to encompass a wide array of online entities, including websites, mobile apps, and online services that cater to children under 13. Educational institutions operating online portals or platforms fall within the purview of COPPA, necessitating compliance with its stringent privacy regulations.
Schools bear the responsibility of diligently vetting and selecting online products and services, ensuring that they align with COPPA’s privacy standards.
Per the FTC, every school should have a compliant privacy policy that contains a prominent link on the home landing page, a list of parties that collect personal information (e.g., social networks or ad networks), which information will be collected and how it will be used, and a section detailing the rights of parents. This includes the right to refuse or ask for a review/deletion of data that is being collected about eligible students.
The school has to provide direct notice of its data collection processes before any data is collected, and any changes to those practices have to be disclosed.
Schools can collect disclose or obtain consent through:
The FTC has released a guide called Protecting Children’s Privacy Under COPPA that provides more information. Below is also a short explainer video.
The Children’s Internet Protection Act (CIPA) of 2000 protects children from exposure to inappropriate or harmful online content. Unlike FERPA and COPPA, which primarily focus on privacy concerns, CIPA is specifically designed to regulate children’s access to objectionable material on the internet, particularly in schools and libraries.
CIPA mandates that schools and libraries participating in the Federal Communications Commission’s (FCC) E-rate discount program, which provides discounts for internet access and internal connections, must implement measures to protect minors from accessing obscene or harmful online content. To fulfill this obligation, institutions have to deploy web filters and other solutions designed to block or filter out objectionable material.
Under CIPA, schools and libraries are obligated to develop and maintain an internet safety policy outlining their approach to safeguarding students from inappropriate online content. This policy must be publicly accessible, and institutions must hold at least one public meeting to discuss and disseminate information about their compliance efforts.
Furthermore, CIPA mandates that schools implement measures to monitor the online activities of minors, ensuring compliance with their internet safety policies.
The 2012 Protecting Children in the 21st Century Act, an amendment to CIPA, requires schools to educate students on responsible online behavior. This educational curriculum covers various aspects of online interaction, including appropriate conduct on social networking platforms and in chat rooms, as well as strategies for dealing with cyberbullying incidents.
The American Library Association shares practical tips for complying with CIPA:
Schools can find out more about CIPA and apply for funding through the Universal Service Administrative Company (USAC). And lastly, below is a quick explainer.
To recap what we’ve covered:
Each of these laws plays a crucial role in ensuring the safety and privacy of children in various online and educational settings.
It’s in the best interest of everyone involved with education—including parents, management, and students—to understand student privacy laws and confirm that they or their schools are committed to complying with them and following best practices.
*** This is a Security Bloggers Network syndicated blog from Blog – Coro Cybersecurity authored by Kevin Smith. Read the original post at: https://www.coro.net/blog/edu/how-schools-can-comply-with-the-three-biggest-online-student-privacy-laws