Online educational opportunities are exploding. The launch of Massive Online Open Courses (MOOCs) on platforms like edX and Coursera, has transformed the way higher education can be accessed. It is highly likely that we’ll see these same changes trickle down to secondary education.
However, secondary educational administrators seeking to employ online or digital education technologies must conform their choices and activities to those in compliance with FERPA. As digital education tools become more and more commonplace, and methods of education evolve alongside technology, the privacy considerations also change. There are two practical methods for FERPA compliance in an online education model.
Option 1 requires schools or districts to contract with a vendor to act as the agent of the district or school, and therefore be authorized to access educational records under the “school official” exception to FERPA.
This approach requires that the vendor’s product meet the same security and privacy controls as the district or school’s student information system, or generally any system that is FERPA compliant. This might include
- Hosting the site in a secure data center
- Encrypting the application and database
- Limiting access to the servers
- Establishing a information security policy, and providing training to staff
- Subjecting site administrators to background screening
Because the school official exception to FERPA keeps the disclosing agency responsible for unauthorized disclosure by the disclosing agency’s agents, this approach may be time consuming to implement. A standard agreement could be drafted, but negotiations would be necessary with each separate district or school.
This option is premised on the idea that all information in the vendor’s online education environment is disclosed to a third party with the consent of the student’s parents. Prior written parental consent for a student’s participation is required before a student can access the online education environment.
In addition to the vendor, any third parties with access to the servers on which the online education environment is hosted would need to be included in the consent form. The form would need to detail exactly how any why the information is going to be used.
Note: FERPA currently permits districts or schools to share what is considered “directory information” publicly, unless a student’s parent has opted out of this data sharing. Students whose parents have opted out are called “FERPA blocked.” This is a very small group of students.