In some ways technology has made the world a better place, but in other ways it has only complicated things. While technology has improved efficiency, organization, and productivity, it has also made compliance with laws more difficult. Take for instance the issue of student data privacy. The Family Educational Rights and Privacy Act (“FERPA”), established in 1974, gave parents control over the disclosure of their child’s personal and educational information.  Back then disclosure was simpler to control – districts maintained student records, always written on paper documents, locked away in filing cabinets. The only way to access those documents was to go to the school, find the right filing cabinet, physically open the cabinet, pull out the document, and look at it. Basically accessing the student record was akin to going on a treasure hunt. Back then the terms cloud computing, web-based software, and data-drops were nowhere to be found in FERPA. Now those terms mean something and accessing documents maintained on servers accessible through the internet is much easier; like the click of a few buttons easy. As a result, compliance with FERPA has become a more difficult task. But a task that is not impossible if districts take the necessary steps to protect student data privacy.

What does the district need to do to protect student information? First, the district should have a set of policies and procedures, and roles and responsibilities for employees, designed to help the district comply with laws, protect student information, and protect the district from unauthorized disclosure.

One role that might be necessary is that of student data privacy coordinator who would oversee and be responsible for the school’s privacy program.  This person could communicate the district’s expectations to the various vendors providing internet based programs and software the district utilizes. He or she should be responsible for conducting periodic privacy assessments to determine what information the school maintains, where that information is located, and the potential risks that exist.  A larger district could establish a committee in place of a single individual. The committee or the individual could be responsible for developing the district’s policies.

The district should have a policy of transparency with parents. First, the disitrict should have a policy of notifying parents what information is being collected and disseminated. But also notifying parents early and often of the school’s data privacy practice is an important step in case there ever is a breach. Districts could have a practice of notifying parents about how the district handles privacy-related matters and how parents could obtain more information. The information disseminated to parents could include the district’s monitoring plan and the privacy policies of the online software services the school utilizes.

The district should have policies and procedures for vetting and choosing vendors that will supply online educational services. Any decision to choose a vendor should go through the coordinator or committee responsible for the district’s student privacy program. In vetting that vendor, the responsible party should: evaluate the vendor’s privacy policies; research the vendor’s performance in protecting private information; and ensure any agreement includes a provision protecting against the unlawful disclosure of student information.  Furthermore, all vendors should be assessed; whether the services are provided for free or at a cost. All levels of employees should be made aware of these internal processes. No one should be allowed to bypass the internal controls when acquiring online and web based products.

Finally, awareness of all the necessary and pertinent laws is important. In addition to FERPA, there are state, tribal, and local laws to be aware of. In particular, districts should be aware of and consider the requirements of the Children’s Online Privacy and Protection Act (COPPA). COPPA generally applies to commercial Web sites and online services directed to children. Generally, those sites must obtain verifiable parental consent before collecting children’s personal information. In limited circumstances, schools may exercise consent on behalf of parents. Thus knowing the various laws and exceptions are highly important.

Technology has an important, and necessary, role in schools. With the movement towards data collection and analysis, technology, and particularly computer programs, have become a necessary tool for educators. Knowing the best practices and putting those practices in place is an important step to ensure the data being collected and used is safely maintained.


This blog should be used for informational purposes only. It does not create an attorney-client relationship with any reader and should not be construed as legal advice. If you need legal advice regarding Student Data Privacy, or other Education Law matters,  please feel free to contact Phil D. Ortega at  480.461.5330, log on to,  or contact an attorney in your area. Udall Shumway PLC is located in Mesa, Arizona and is a full service law firm. We assist Individuals, families, businesses, schools and municipalities in Mesa and the Phoenix/East Valley.