- Jun 2024
-
-
o the creator or originator of that record in order to verify authenticity without the student’s permis
You can verify authenticity of records wo permission
-
Example Scenarios
Great example cases
-
-
www.bates.edu www.bates.edu
-
provide a letter of recommendation for a student that includes grades unless you have received written consent from the student to release this information for this explicit purpose.
Can't put grades in a Letter of Recommendation without written consent
-
provide anyone outside the college with lists of students enrolled in classes;
Class rosters are protected
-
-
teaching.resources.osu.edu teaching.resources.osu.edu
-
If you teach several sections of the same course but the students do not interact with each other in a physical classroom or online, the courses cannot be merged in Carmen.
if they are not combined in Colleague - they can't be in Canvas - good to know. It's not just an integration issue - its FERPA
-
-
www.edsurge.com www.edsurge.com
-
The teacher who saw the incident in-person can speak about it because FERPA is not a confidentiality law. It only protects what’s in a student’s education record.
Interesting - only what is in records is protected.
-
If a school denies access to student records to a parent of a student under the age of 18, that’s a FERPA violation
this is good to know parents of kids under 18 must have access to records
-
One is that, generally, higher education institutions can choose to release a students’ education records to both parents, provided that at least one parent claims the student as a dependent for tax purposes.
INteresting - Baylor won't do this.
-
“It should be clear that [the data] belongs to the school, not to the vendor, and that the vendor’s responsibility is to process it for the benefit of the school and its students, and not for the vendor’s own benefit,” McDonald says.
FERPA and 3rd party Vendors
-
-
studentprivacy.ed.gov studentprivacy.ed.gov
-
“Law enforcement unit records” (i.e., records created by the law enforcement unit, created for a law enforcement purpose, and maintained by the law enforcement unit) are not “education records” subject to the privacy protections of FERPA. As such, the law enforcement unit may refuse to provide a parent or eligible student with an opportunity to inspect and review law enforcement unit records, and it may disclose law enforcement unit records to third parties without the parent or eligible student’s prior written consent
Law enforcement records is not FERPA protectd
-
-
www2.ed.gov www2.ed.gov
-
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.
Definition of Directory Information : name address phone date & place of birth honors and awards dates of attendance.
Students can "opt out" of directory information.
-
schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31): School officials with legitimate educational interest; Other schools to which a student is transferring; Specified officials for audit or evaluation purposes; Appropriate parties in connection with financial aid to a student; Organizations conducting certain studies for or on behalf of the school; Accrediting organizations; To comply with a judicial order or lawfully issued subpoena; Appropriate officials in cases of health and safety emergencies; and State and local authorities, within a juvenile justice system, pursuant to specific State law.
Who you can release information to without student consent.
-
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA definitions
-
These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.
Parent's rights end with 18 and / or college and transfers to students
-
- May 2024
-
files.eric.ed.gov files.eric.ed.gov
-
Department of Education offers a detailed overviewof FERPA
FERPA concerns with external tools
Tags
Annotators
URL
-
- Feb 2018
-
app.perusall.com app.perusall.comPerusall1
Tags
Annotators
URL
-
- Nov 2017
-
reclaimhosting.com reclaimhosting.com
-
What about FERPA? The student is controlling how much information is out there. Similar to a public blogging platform being run by a university, FERPA only requires that student records (and what constitutes a “record” is debatable) not be public unless a student gives permission. In this case if the student wanted to sign up and lock down their hosting they can certainly do that, no one is requiring them to make their information public. This also comes back to our strict privacy policy (see previous question)
Interesting approach.
-
- Aug 2017
-
piazza.com piazza.com
-
our current practice and policy was on par with what universities needed. It then became an issue of specifically having a legally binding agreement that protected the universities, professors, and students.
I really like this. "It's in our TOS but we're happy to sign something more/something legally binding."
-
- Feb 2017
-
www.fortlewis.edu www.fortlewis.edu
-
When a student begins attending a postsecondary institution, regardless of age, FERPA rights transfer from the parent to the student
-
-
-
Official FERPA text
-
-
files.eric.ed.gov files.eric.ed.gov
-
and developing solutions to real challenges
Lots of mention of engaging in real world issues/solutions/etc. Is this at odds with the mandates of FERPA and privacy/security in general that govern ed-tech integration in education?
Tags
Annotators
URL
-
- Sep 2016
-
studentprivacy.ed.gov studentprivacy.ed.gov
-
rovider will store and process Data in accordance with industry best practice
Sounds like we're good here.
-
d Provider has a limited, nonexclusive license solely for the purpose of performing its obligations as outlined in the Agreeme
Here we are good and much better than, say, Genius:
When you post User Content to the Service or otherwise submit it to us, you hereby grant, and you represent and warrant that you have the right to grant, to Genius an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense through multiple tiers) to use, reproduce, publicly perform, publicly display, modify, translate, excerpt (in whole or in part), create derivative works of, distribute and otherwise fully exploit all Intellectual Property Rights in and to such User Content for purposes of providing, operating and promoting the Service or otherwise conducting the business of Genius.
-
all intellectual property rights, shall remain the exclusive property of the [School/District],
This is definitely not the case. Even in private groups would it ever make sense to say this?
-
Access
This really just extends the issue of "transfer" mentioned in 9.
-
Data Transfer or Destruction
This is the first line item I don't feel like we have a proper contingency for or understand exactly how we would handle it.
It seems important to address not just due to FERPA but to contracts/collaborations like that we have with eLife:
What if eLife decides to drop h. Would we, could we delete all data/content related to their work with h? Even outside of contract termination, would we/could we transfer all their data back to them?
The problems for our current relationship with schools is that we don't have institutional accounts whereby we might at least technically be able to collect all related data.
Students could be signing up for h with personal email addresses.
They could be using their h account outside of school so that their data isn't fully in the purview of the school.
Question: if AISD starts using h on a big scale, 1) would we delete all AISD related data if they asked--say everything related to a certain email domain? 2) would we share all that data with them if they asked?
-
Data cannot be shared with any additional parties without prior written consent of the Userexcept as required by law.”
Something like this should probably be added to our PP.
-
Data Collection
I'm really pleased with how hypothes.is addresses the issues on this page in our Privacy Policy.
-
There is nothing wrong with a provider usingde-‐identified data for other purposes; privacy statutes, after all, govern PII, not de-‐identified data.
Key point.
-
Modification of Terms of Se
We cover this in the TOS but not the Privacy Policy.
-
rovider will not use any Data to advertise or market to students or their parents. Advertising or marketing may be directed to the [School/District] only if student information is properly de-‐identified
This I am happy to say we seem to have covered. I think it should be higher up in the policy statement. See my annotations in the "Hypothes.is Reading" group here.
-
Data De-‐Identification
Do we do this anywhere?
-
all Personally Identifiable Information (P
Does this include emails?
-
-
tech.ed.gov tech.ed.gov
-
minimize the data your product collects
Seems like this is so.
-
It is best to assume that the student information you collect in your app is statutorily confidential, unless it is de-identified
So, does our pseudonym policy help us here? Students needn't use their real names. Are email addresses "de-indentified" information?
-
data security features
What would this mean?
-
build privacy
Does our groups feature cover it?
Tags
Annotators
URL
-
- Jul 2016
-
studentprivacy.ed.gov studentprivacy.ed.gov
-
Metadata that have been stripped of all direct and indirect identifiersare notconsidered protected informationunder FERPA because they are not PII.
But this data is only interesting from a consumer angle if it is linked to individuals.
-
In order to create studentaccounts, the districtor schoolwill likely need to give the provider the students’ names and contact informationfrom the students’ education records, which areprotected byFERPA
The basic info that h collects does categorize as PI according to FERPA.
So creating accounts without email addresses would be a way to circumvent FERPA.
-
personally identifiable information (PII) from students’ education records from unauthorized disclosure.
-
-
blog.clever.com blog.clever.com
-
Limit retention to what is useful.
So what data does h retain?
- username
- email address
Do annotations count as data?
-
software is increasingly deployed from hosted services, as opposed to on a local district network
So if data is hosted locally then it's less of/not an issue?
-
(but not nonprofits)
COPPA doesn't apply to non-profits?
-
- Dec 2015
-
bavatuesdays.com bavatuesdays.com
-
the hostile environments so many experience when it comes to experimenting locally with ed-tech versus an almost infantile trust in our corporate overlords when it comes to outsourcing.
How are both these things happening at the same time, though?
-
little to no impact on the tech giants to which many K-12 schools, colleges, and universities blissfully outsource their innovation.
There must be some kind of other disconnect here, though. I've always been asked about FERPA--mostly by teachers and professors who have in turn been pressured by administrators. Surely this must enter into conversations with Google Pearson, et al.
-
What constitutes an education record is a bit blurry, making FERPA the bat it has become internally to shut down most conversations about sharing publicly on the web.
Yeah, this is the problematic side effect of FERPA: it works against public use of the open web, a skill necessary for our students to practice.
-