What Every EdTech Company Needs to Know About Schools and Data Privacy
by Sarah Rasheed
The data privacy landscape looks a lot different than it did even a few years ago. New federal and state laws—and a greater focus on the issue by districts—are giving edtech companies a lot to consider.
Specifically, companies may run into roadblocks with legal or data privacy officers if they don’t meet key criteria regarding legal terms, data privacy and security that districts and schools need to see based on local, state and federal legislation.
FERPA, COPPA and GDPR—the new privacy legislation out of Europe—are among some of the hot-button issues for local education agencies in considering vendor selection.
Whether you’re counsel at an education company trying to pre-empt a long legal process prior to securing a contract, or if you’re about to implement your product or services and you’re faced with a data privacy addendum, make sure you consider these points:
More states are issuing legislation mandating that clearly written privacy policies, security measures and data breach procedures be implemented or clearly accessible—and it’s all the more prudent to have it readily available on your company’s website.
Define personally identifiable information (PII) and state the type of PII collected, and how it’s used. As a general guideline, make it clear that PII is never to be sold or used for marketing, commercial or political purposes (most states and institutions prohibit this type of use of PII), and should be limited to uses within the agreement for the purpose of carrying out services.
Know Your Customer
Know the variations among jurisdictions and their data privacy standards, and aim for compliance with all. The website FERPA Sherpa has a comprehensive overview of state laws.
Ensure the Ownership of PII Remains With the School, Not the Vendor
Districts are wary of vendors who intend to use PII as a means to an end—especially when that end is solely the development of the vendor’s product or related business.
Districts will want to own their PII, and this is a reasonable and necessary expectation considering their obligations under FERPA. Note that the definition of PII is broad, often including free and reduced lunch status. Importantly, some data is still considered PII, even when it is not independently capable of identifying an individual absent other attributes. Seemingly unrelated data could potentially combine to personally identify a student.
Consider instead, asking to use the PII for the purposes of developing your product or services within the scope of your agreement with the institution, giving your company the ability to use PII while acknowledging that the ultimate ownership of this data lies with the school.
Comply With Your Customer’s Standards for Deletion, Destruction and Encryption
Both FERPA and GDPR put focus on how vendors dispose of PII upon the termination of an agreement, or when PII is no longer being used for the product or service. Specifically, regulations seek the destruction of PII upon the termination of a license or agreement, or immediately upon request. With that in mind:
Be prepared to share a company policy on PII retention and destruction, and have one ready.
Have data breach procedures in place that detail your incident response policy in the event of a breach—this is a particularly important requirement for GDPR, FERPA and state and local requirements. Detail a reasonable amount of time from the discovery of a potential breach to notify the school, and request a reasonable amount of time to fix it.
Data deletion is high priority for schools, but remember to discuss the use of the data with your customer. They may wish to allow students to access their data post-termination. This would entail amending data destruction language in many cases if it’s permissible by law, and if your customer wishes to incorporate this into the terms.
Keep communications regarding student data between the district and the customer/end user/parent. Steer clear of language that asks you to problem solve regarding parental data inquiries without the school’s involvement.
Make Sure Your CTO Is Apprised of New Legislation, and Your Salesforce Is Apprised of Your Standards
Keep your CTO apprised of developments in all data security legislation, including those that entail data retention and destruction, or legislation that asks for specific standards of encryption. Proactively determine whether your company meets these standards, and ensure your salesforce has this information on hand when asked by customers.
Consider Your Third-Party Providers
You’ll often be expected to list your third party providers who have access to PII, and be asked to represent that they, too, adhere to the data privacy and security standards that you will be held to. Make sure your third party providers are aware of and follow the same standards you hold your company to, and that their standards meet federal, state and local legislation.
An additional consideration: keep in mind that schools often have policies mandating that all vendors, third party providers, and servers must be based in the United States.
Finally, in addition to state and local laws, take a look at federal guidance on best practices for vendors and general student privacy.