Skip to content

Protecting Student Privacy When Cloud Computing and Outsourcing School Student Record Functions to Third Parties

The way student records are created, accessed and stored is changing drastically increasing concerns about schools’ ability to protect student privacy as required under laws such as the Federal Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). Schools are shifting from a traditional paper model to the electronic creation, maintenance and sharing of records, particularly through the use of the Internet and cloud computing including cloud based classroom and school educational computer applications. Schools find themselves outsourcing school records functions to third party service providers more frequently, as well as increasingly sharing and assessing student testing information with or among multiple educational agencies. This paradigm has resulted in yet to be resolved legal issues with potential landmines for schools.

There are two general but distinct concerns resulting from this changing school landscape. The first is for the security of the data itself, particularly when it is no longer maintained in house on hardware physically located at school or in the school district, rather is kept in the cloud in an unknown location.

The second concern is for the confidentiality of the content of the records and the personally identifiable information (PII) contained in those records. The latter leaves schools to ponder: exactly what information is protected and by what laws; more specifically, what will be construed to constitute an educational record and what protection must be afforded to it? Will schools be required to protect metadata meaning information that does not make a student readily identifiable but can be used to re-identify them because of unique characteristics or circumstances?   What information may legally be shared and with whom?  What type of consent, if any, is necessary?  What measures are necessary to protect student confidentiality and prevent unauthorized use of student data for purposes such as advertising/marketing? To what lengths must schools go to protect student information and how can this best be accomplished?

Does your district use cloud computing, meaning students and employees no longer must store their documents and data locally on a specific computer or server, but rather, they log into their cloud services and access the data at any time, from anywhere using almost any “smart” device?  The most obvious example of a cloud based application is Internet-accessed email using services such as Gmail, Yahoo mail and Hotmail. Others include CourseSmart for online textbooks, Facebook, Twitter, Nulu cloud-based language education tools and Edmodo for teaching tools, to name but a few. Does you district use third party service providers to create, store or maintain any student data i.e. individualized education plans (IEP’s) for special education students?  What protocols are in place in your district for the protection of student records stored in the cloud or information provided to third party vendors?  Are there provisions in your contracts with third parties providing the necessary protections? What measures, if any, are in place to restrict the selling by third party vendors of student information for advertising purposes? Who in your district has authority to download applications and do you have a pre-approval process including exploration of all terms for use including allowable uses of information by the provider? These are but a few of the many and complex questions resulting from technological advances.

District-wide data management systems and the myriad of tools available for teachers and students create potential opportunities for release of student data. Concerns about data privacy are real and must be addressed by public school districts to reflect the values and norms of their communities. District contracting practices with third party service providers, Board policies and district technology protocols should reflect the identified values and reflect legal requirements to secure the privacy of student records.

When a school or school district utilizes one of FERPA’s statutory exceptions to disclose information without prior consent, transparency is critically important. Therefore, in accordance with the US Department of Education in its guidance recommends that   schools and school districts be clear-including in their contracts -about what information is collected about students, how it is used, how it is protected, how and with whom it is shared, and for what specific purpose. Although FERP A does not require this much transparency, it is considered a best practice.

While the law attempts to catch up with continuously changing technology, it is clear schools must be proactive adopting a comprehensive approach to protecting student privacy as recommended by the US Department of Education Privacy Technical Assistance Center (PTAC). One important and pivotal part of this comprehensive approach is collaboration with your district’s chief technology officer or equivalent position.

For more information click on the following links:

U.S. Dept. of Educ. Privacy Technical Assistance Center, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (February 25, 2014),

U.S. Dept. of Educ. Privacy Technical Assistance Center, Frequently Asked Questions: Cloud Computing (June 2012),

Letter from Arne Duncan, Secretary, U.S. Dept. of Education to Senator Edward,

For specific concerns about protecting student confidentiality, contact us at Berchem, Moses and Devlin, P.C.  Also, look for future blog updates on this topic.