Protecting Student Privacy in the Cloud
December 13, 2024
Jessica Arciniega, Katherine Kalpos, Morgan Sexton, Amelia Vance, and Casey Waughn
CC BY-NC 4.0
From one-to-one devices to virtual reality experiences, technology has become an integral part of the educational journey for today's students. Edtech provides schools the opportunity to enhance student learning experiences in countless ways, such as using algorithms to personalize individual learning experiences to each student’s strengths and interests, or using virtual reality field trips to teach students about different places. But while technology has great potential to enhance and supplement traditional instruction, schools often do not have the internal capacity, funding, or expertise to provide these technologies entirely themselves. Instead, schools typically rely on third-party technology companies who own and operate the many technologies used in their classrooms.
This arrangement can be mutually beneficial for students, schools, and the technology companies, so long as robust privacy protections–such as those in Family Educational Rights and Privacy Act (FERPA)–are implemented to protect the vast amounts of student data collected on edtech platforms and stored remotely in the cloud or on third party servers. However, some would argue (and we strongly disagree) that FERPA does not apply to student data collected by third-party edtech platforms since the data is not “maintained” by the school when it is stored in third party networks.
Despite guidance* to the contrary, the term “maintained” has sometimes been misinterpreted under FERPA to exclude data shared with third parties on the school’s behalf. If this interpretation were true, students would lose the majority (if not all) of their federal privacy protections when using edtech at school–and there is no guarantee that schools would be able to account for this by negotiating increased privacy protections with technology companies in written agreements (see this Fixing FERPA installment for more information on contracting hurdles for school districts). To ensure schools can continue to provide their students with a technology-enhanced education in a way that both protects and respects student privacy, FERPA should be amended to clarify that students’ personally identifiable information (PII) is protected regardless of where it is stored.
Technologies Used in Schools Collect Vast Amounts of Student PII
FERPA gives parents and eligible students privacy rights over students’ “personally identifiable information” (PII) in education records. PII includes (but is not limited to):
(a) “The student's name;
(b) The name of the student's parent or other family members;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.” (34 CFR 99.3)
Technologies used in schools collect a broad range of student PII. For example:
- Exam monitoring software may track students’ eye movement, keystrokes, and browser activity;
- Student information systems may contain student demographic information, attendance data, and discipline records;
- Digital classroom assistants may record student voices and conversations;
- Security cameras may use facial recognition software to log who students talk to and how they move within the school building;
- Smartboards may capture student handwriting; and
- Cloud services may store student essays and journal entries.
Essentially, all information collected by technology companies that can be readily linked back to an individual student will fall under FERPA’s definition of PII.
FERPA is Intended to Protect Student PII Collected and Used by Third Parties Acting for the School
FERPA protects PII in education records. “Education records” are records: 1) directly related to a student; and 2) maintained by an educational agency or institution, or by a party acting for the agency or institution. (34 CFR 99.3(a), emphasis added).
Student data can be protected under FERPA when it is stored by a third party acting on behalf of a school district (such as a technology company that has contracted with a school to provide an edtech platform). That being said, not all student data maintained by edtech companies falls within the scope of FERPA protections. The Privacy Technical Assistance Center (PTAC) at the Department of Education has explained that while some technologies used in school may collect and use student PII, others may not need to collect any data that is protected under FERPA:
“Some types of online educational services do use FERPA-protected information. For example, a district may decide to use an online system to allow students (and their parents) to log in and access class materials. In order to create student accounts, the district or school will likely need to give the provider the students’ names and contact information from the students’ education records, which are protected by FERPA. Conversely, other types of online educational services may not implicate FERPA-protected information. For example, a teacher may have students watch video tutorials or complete interactive exercises offered by a provider that does not require individual students to log in. In these cases, no PII from the students’ education records would be disclosed to (or maintained by) the provider.” (Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices)
This clarifies that while student data stored by technology providers may constitute education records under FERPA, only the PII within them is actually protected under FERPA.
But FERPA Does Not Clearly Protect Protect All Student PII Held by Third Parties
FERPA does not define the term “maintained,” making it unclear (and often unintuitive) what constitutes an education record under FERPA. This ambiguity can be used to undermine FERPA’s privacy protections for student data when it is collected online.
For example, imagine that a math teacher assigns a multiplication worksheet to their students as homework. At the beginning of next class, the teacher asks students to exchange homework assignments with their classmates for peer grading. Two students, Emma and Jason, swap worksheets with each other. While the teacher goes over the answers, students mark responses as correct or incorrect and tally the final score. Right before handing in their graded worksheets to the teacher, Jason announces to the class that Emma only got 3 questions right out of 10. Emma’s grade clearly is PII under FERPA, but is it PII that is protected under FERPA? The surprising answer is no–FERPA protections do not attach to Emma’s grade until the teacher records her score in their gradebook. This is because of the Supreme Court’s ruling in Owasso, a decision that was meant to be practical because the court did not want to interfere with common school functions. However, the decision caused massive confusion about the scope of what PII is protected under FERPA (including colleges believing disciplinary records weren’t covered, which led to USED and the Department of Justice filing a complaint in federal court seeking to enjoin two colleges from releasing student disciplinary records**). Under Owasso, homework assignments are not “maintained” by the school, and thus not considered “education records” with PII that are protected under FERPA, until they are turned in to the teacher (and subsequently recorded)–something that hadn’t happened yet when Jason revealed Emma’s grade to the class in the above example.
While we appreciate that the Owasso Court took a practical view that preserved peer grading methods, this ruling does not stand the test of time. When Owasso was decided in 2002, a school could not be expected to protect assignments before they were in a school staffer’s possession–such as when a paper was being drafted in a student’s notebook or on a student's personal computer–since the school would have to physically invade a student’s space or search their personal possessions to access that in-progress work. However, modern technology often eliminates any barriers to schools’ ability to access student’s in-progress and completed assignments. Schools can now readily access student’s work throughout the entire drafting process when it is being done using school-owned devices or cloud-based software that is licensed or run by the school, such as when students draft essays using an academic version of Google Workspace owned by the school.
Due to the Owasso case, a strong argument can be made that in-progress assignments online are not protected under FERPA because the assignments have not yet been turned into a teacher or been graded and recorded. But most students are no longer writing their assignments in their personal notebooks at home; they are now writing them online in spaces accessible to their teachers. So if these virtual drafts are not protected due to the reasoning in Owasso, students would lose the majority–if not all–of their federal privacy protections when using school-owned devices or cloud-based software that is licensed or run by the school.
If students lose federal privacy protections in this way, it would mean that third parties may gain unregulated access to and use of student PII when they use technology in educational contexts. In addition to the school, third party technology companies often have access to in-progress student assignments being completed online. For example, the cloud service provider a school uses to store student writing assignments may have access to students’ essay drafts, including a high school senior’s draft personal statement for their college applications detailing a time they overcame hardship or a traumatic experience in their past. Unless FERPA applies to protect students’ personal information contained in their in-progress assignments online, the cloud service provider may be able to freely use and share this sensitive personal data in ways that can significantly harm students.
Privacy Risks of Technology Companies Having Unregulated Access to and Use of Student PII
When conceptualizing how using and sharing sensitive personal information can harm students in practice, people often think about the privacy risks associated with selling student data or using it to profile and target ads to children. This is a very valid concern. Edtech platforms can collect vast amounts of student data, and–if the law is unclear–the companies operating those platforms may sell student data or use it to the company’s advantage to predict and manipulate students’ behavior once they become customers.
But commercialization is not the only student privacy risk to consider. We need to think about privacy risks more holistically, analyzing the potential for unauthorized or improper uses of student data to impact every aspect of their life. Privacy risks to students often fall into in the following categories:
| Safety | Is a stranger or someone dangerous able to communicate with my child or learn where my child lives? |
| Over-Collection & Over-Surveillance | How much information is being collected about my child? |
| The Permanent Record | Will my child’s mistakes be recorded forever? |
| Loss of Opportunity | What information will be used to determine which opportunities my child doesn’t have access to? |
| Equity Concerns | What if the information is biased? What if it is used in an inequitable way? What if my child and I can’t or don’t have access to the information or technology? |
| Age-Inappropriate Content | Is my child accessing content that isn’t appropriate? |
| Social Harm | Is my child being cyberbullied or stigmatized? |
| Commercialization | Are companies selling my child’s data or targeting advertising to them? |
To help safeguard students from such risks, schools often seek to include specific requirements in their contracts with edtech companies that the company must treat all student data collected on edtech platforms as PII under FERPA. However, schools may face significant hurdles when negotiating additional privacy protections to include in contracts with vendors (see this Fixing FERPA for more information on the challenges schools may face in the contracting process). Even when schools get such a provision into the contract, companies may still argue that the Supreme Court’s decision in Owasso exempts student data collected online from the scope of FERPA coverage until it is submitted to a teacher and the teacher has recorded a grade for it. It is crucial to clarify that FERPA’s protections apply to in-progress assignments being completed online to protect students from the broad range of privacy risks and harms that may result from third parties’ improper use or sharing of their personal data.
Suggested Solution: Define “Maintained”
FERPA’s protections for PII are significantly weakened when technology is used in school due to the ambiguity surrounding the term “maintained.” To fix this, future FERPA rulemaking processes must clarify that an education record is “maintained” by an educational agency or institution any time that student data is accessible to them. We propose adding the following language to future FERPA regulations:
“An education record is “maintained” by an educational agency or institution, or by a party acting for the agency or institution, when student data is readily accessible to the educational agency or institution, regardless of where it is stored. All data that is collected, maintained, linked, processed, or otherwise associated with any accounts, profiles, platforms, software, or devices that are owned, issued, licensed, or operated by an educational agency or institution, either directly or on the agency or institution’s behalf pursuant to a written agreement, is an education record that is “maintained” by the educational agency or institution for the purposes of this statute.”
This language is intentionally broad to encompass the many different ways that schools may choose to implement emerging technologies into instruction and administration. For example, this approach would ensure that student data collected through exam monitoring software, student information systems, digital classroom assistants, security cameras using facial recognition software, smartboards, and cloud services are protected under FERPA because the school is able to access that information upon request, even when the data is stored by a third party service provider.
But whether data is “maintained by an educational agency or institution or by a party acting for the agency or institution” is only one factor in determining whether data is protected under FERPA. To be protected under FERPA, data must also be (1) PII, and (2) directly related to a student (the second requirement for education records). For example, while all data collected through a student’s use of an online video streaming service on their school-issued device would be “maintained” for the purposes of FERPA (such as their login details and the videos they watched), any metadata (such as what time they accessed the service and for how long) that the video streaming provider collects about that student’s use of their service would be outside the scope of FERPA so long as it has been stripped of all identifiers. Additionally, if the student does not log in to an account on the video streaming service, the data collected would likely not be subject to FERPA so long as it does not contain any PII. These limitations already existing in FERPA ensure that, even though the definition of “maintained” accounts for a wide array of technology uses at school, we can retain FERPA’s tailored scope for what data must be protected.
Endnotes
* “FERPA defines education records as “records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3). These records include, but are not limited to, transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records. It is important to note that any of these records maintained by a third party acting on behalf of a school or district are also considered education records.” (Responsibilities of Third-Party Service Providers under FERPA, PTAC, emphasis added)
** United States v. Miami University
