An Overview of Education Privacy
by Daniel J. Solove
Privacy is essential in education, and all educational institutions have duties to their communities to protect privacy robustly. What does protecting privacy entail? Why does it matter? What privacy issues should be addressed? In what follows below, I will provide answers to these questions.
Why Is Privacy Important for Schools?
Legal Compliance – Failure to comply with privacy laws and regulations can result in significant legal sanctions, liability, fines, and other unpleasant consequences. There are dozens of federal and state laws that apply to schools.
Reputation – Having a privacy mishap can severely damage the reputation of a school.
Finances – Privacy violations can lead to costly litigation, large damage awards, and expensive and burdensome legal requirements (data security breach notification).
Time and Resources – One of the largest often under-appreciated privacy risks involves the extensive amount of time and resources needed to respond to a privacy mishap.
Student Well-Being – Leaked or improperly-disclosed data can cause significant harm to students as can failure to respond to incidents where students are violating each other’s privacy (cyberbullying, online gossip, etc.)
Employee Well-Being – Privacy mishaps can affect and harm employees
Relationships – Privacy mishaps or even poor privacy practices that have not involved an actual mishap can sour relationships between schools and parents, applicants, donors, alumni, and others. These relationships are essential for schools.
The 9 Key Areas of Education Privacy
A comprehensive privacy program encompasses many issues. Schools need to address 9 areas of education privacy:
Privacy Program — The basic structure of the privacy program, including responsibility for data, rights provided regarding data, training of employees, and assessment of policies and practices.
Data Security — The administrative, physical, and technical safeguards on personal data, the data security breach incident response plan, and policies for data retention.
Data Management — The internal and external agreements that ensure that data is properly handled and used, such as confidentiality agreements with employees and contracts with outsourcers.
Websites — Websites maintained by the school, departments within the school, and instructional websites used by educators.
Searches and Surveillance — Searches of students and employees, video and audio surveillance, computer network monitoring, searching student electronic devices, and drug testing.
Speech and Expression — Student or employee speech that creates problems at the school: cyberbullying, sexting, online gossip and self-exposure, defamation, intentional infliction of emotional distress, harassment, and threats.
Privacy of Students — Student records, disclosure of student data, disciplinary information, health information, and legal regulation (FERPA, HIPAA, GLBA, Clery Act, etc.).
Privacy of Employees — Employee records, the disclosure of employee data, and background checks and inquiries of applicants.
Privacy of Others — Alumni records, donor records, applicant records, and personal data maintained about all other individuals who are non-students and non-employees.
What Does Protecting Privacy Entail?
Numerous federal and state laws regulate privacy, as well as laws around the world. A number of privacy best practices have developed throughout various industries. In addition, various sets of privacy principles have become widely influential, shaping the law in the United States and around the world. The most famous privacy principles are the Fair Information Practices (FIPs) which were developed in 1973 in a report prepared by a federal agency. Another famous set of privacy principles are the Organization of Economic Cooperation and Development (OECD) Guidelines of 1980.
What does protecting privacy entail in the educational setting?
To answer this question, it is useful to identify some of the common elements to the privacy laws, best practices, and principles, and then apply them to educational institutions:
I. Individual Rights
Consent — To the maximum extent possible consistent with the various interests the school is trying to achieve, the school should ask for people’s consent before collecting, using, or disclosing personal information.
Notice and Transparency — The school should be as transparent as possible about its policies involving the collection, use, and disclosure of personal information. The school should provide notice when violations of its privacy policies affect individuals.
Minimum Necessary — The collection, use, and disclosure of personal information should be as limited as possible in order to achieve articulated purposes, which should be of substantial importance.
Restriction on Secondary Use — Generally, the school should not use a person’s data for any different purposes beyond those for which the data was initially collected. If the school desires to use a person’s data for new purposes, the school should first procure that person’s consent. Exceptions to this rule should be expressly stated in the school’s policies.
Confidentiality — The school should maintain the confidentiality of data supplied by individuals unless there is a compelling reason to breach confidentiality.
Restriction on Disclosure — Whenever the school discloses personal data, it should ensure that such disclosure remains as limited as possible and is only done for compelling reasons. Disclosures of personal information should only be made after substantial consideration of all the interests involved.
II. Duties and Responsibilities
Data Inventory and Risk Assessment — The school should keep an inventory of (1) the kinds of data it collects, uses, and maintains; (2) the purposes for which this information is collected; (3) the employees who have access to it; (4) with whom it is shared; and (5) how it is protected. The school should also conduct risk assessments on a periodic basis to identify risks and address them.
Vigilance — The school should remain vigilant about its privacy policies and practices, routinely assessing its policies and their implementation.
Security — The school should keep data secure by using physical, technical, and administrative safeguards. The school should keep track of which employees have access to which types of personal data and ensure that employees are properly trained about data security.
Data Retention and Destruction — Personal data should not be retained once there is no longer a need for it. When disposed, personal data should be properly destroyed or deleted.
Responsibility and Accountability — The school should designate individuals who will oversee that the policies are followed, have a mechanism for enforcement against violations of policy, have procedures in place to prevent violations and abuses, and have procedures in place for investigating and responding to potential violations of privacy policies.
Training, Awareness, and Education — Protecting privacy should be engrained in a school’s culture and practice, not just stated abstractly in the text of policies. For policies to be effectively implemented, employees must be trained. Most data security incidents are caused by human error and carelessness — training is essential to reducing this problem.
III. The School Community
Respect for Each Other’s Private Life — The school should provide an atmosphere of mutual respect, where members of the community do not infringe upon each other’s privacy or well-being. To the maximum extent possible consistent with freedom of speech, the school should take steps to ensure that members of the community are not engaging in expression that causes harm to others.
Education and Guidance of Students — The school should help its students by teaching them how to protect their own privacy and respect the privacy of others.
Our FERPA Training + Other Education Privacy and Security Training
We have a training course on the Family Educational Rights and Privacy Act (FERPA) that is designed for administrators, faculty, and staff.
Our course (~15 minutes) provides a basic introduction to FERPA and practical guidance about how to comply. The course is taught by Professor Daniel Solove, who has taught in higher education for more than 15 years. Professor Solove teaches in a highly-engaging way that is ideally suited for the higher education context. The course is visually stimulating, interactive, and filled with concrete examples.
The course module is SCORM-compliant and works on most learning management systems.
In addition to FERPA training, we have short training courses on:
• cloud computing
• online gossip and self-exposure
• data security awareness
• social engineering
• portable electronic devices
• PCI payment card data
• FTC Red Flags Rule
• research involving health data
Click here for a listing of our education privacy training courses.
Click here for a listing of all our information security awareness training courses.
Click here for a listing of our financial privacy topics.
Click here for our catalog.
About Professor Solove and TeachPrivacy
This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 900,000 followers. Click here for more information about Professor Solove.
TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
Please Contact Us If You Are Interested In Privacy and Data Security Training
We can provide you with a login so you can evaluate the programs. Click here for our catalog.