Troutman Sanders LLP: Student Data Privacy: No Free Hall Pass to Use Student Data

Troutman Sanders LLP: Student Data Privacy: No Free Hall Pass to Use Student Data

Not all data is equal in the eyes of the law.  We’ve pointed out on more than one occasion how data related to minors is subject to special protections.  Student data, which can be loosely defined as personal information collected by educational institutions about their students, is yet another species of data that must be handled with care. 

The grandfather of student data laws – and one of the very first privacy laws enacted in the United States – is the Family Educational Rights and Privacy Act (FERPA).  This 1974 law was intended to protect educational records, and it prohibits federally funded educational institutions from disclosing, among other things, personally identifiable information from a student’s records to a third party unless a legal guardian (or eligible student) has given consent.  Protected “personally identifiable information” includes the student’s name; the name of the student’s parent or other family member; the address of the student or student’s family; a personal identifier, such as the student’s social security number or student number; or other information that would make the student’s identity easily traceable.  There are a number of exceptions to the general prohibition, including somewhat controversial changes in late 2011 that expanded educational institutions’ ability to disclose certain information that “would not generally be considered harmful or an invasion of privacy if disclosed,” such as a student identification number, to certain third-parties without consent.

Another federal law governing the disclosure of student information is the Protection of Pupil Rights Amendment (the PPRA).  Among other things, the PPRA allows a parent to opt a student out of activities involving the collection, disclosure, or use of personal information obtained from students for marketing, sale, or for other distribution of the information to third parties.

Although FERPA and the PPRA govern only federally funded educational institutions, and do not place any restrictions on how private actors handle student data, individual school districts’ increasing reliance on cloud computing services to store, transfer, or analyze information create an interesting intersection of public regulation and private enterprise that may hold lessons for other fields.

For example, a recent study by the Center of Law and Information Policy at Fordham Law School regarding the growing trend in school districts’ reliance on cloud computing services identifies discrepancies that often exist between a school district’s legal obligations and their contracts with vendors.  In the educational context, where technology services are often procured as a result of a public bidding process on behalf of multiple educational systems, contracts may lack terms that would assure that FERPA and PPRA protections are extended to data in vendor’s hands.  To bring vendors’ contracts in line with the school districts’ own legal obligations, the Fordham study recommends that vendors’ contracts include provisions that merit consideration by any party procuring cloud services, including:

  • Specification of the types of data transferred or collected
  • Prohibition or limitation on re-disclosure of Personally Identifiable Information
  • Prohibition or limitation on the sale or marketing of Personally Identifiable Information without express consent
  • Assurance that the procuring party [in this case, school districts] have exclusive control over data access and mining
  • Prohibition on the imposition of new or conflicting privacy terms when end-users activate an account
  • Allocation of responsibilities for granting end-user access and correction requests
  • Specification of whether foreign storage and processing is permitted
  • Specification of whether other government agencies may gain access without end-user consent
  • Specification of data security measures and breach notification responsibilities
  • Prohibition on unilateral modification
  • Audit rights

These educational privacy laws point out, as we have many times before, the fact that the privacy regime in the United States is fractured and industry-specific.  But protections can be negotiated in your vendor contracts, and the Fordham study provides some good examples of protections users should be looking for when negotiating with cloud vendors.

For more information, please contact Karl Broder or John Hutchins.

The California Supreme Court issued a unanimous opinion on February 10 holding that ZIP codes are "personal identification information" for purposes of the state’s Song-Beverly Credit Card Act of 1971, and therefore may not be recorded by a business as part of a credit card transaction. The decision will have important implications - retailers and others should ensure their practices conform with California law.

Please click here to view or download the entire article.

­­­­­­­­­­­­­­­­­­­­About Troutman Sanders

Troutman Sanders is an international law firm with offices in North America, Europe and Asia. Founded in 1897, the firm’s heritage of extensive experience, exceptional responsiveness and an unwavering commitment to service has garnered strong, long-standing relationships with clients across the globe. These clients range from multinational corporations to individual entrepreneurs, federal and state agencies to foreign governments, and non-profit organizations to businesses representing virtually every sector and industry.

Troutman Sanders lawyers provide counsel and advice in practically every aspect of civil and commercial law related to the firm’s core practice areas: Corporate, Finance, Litigation, Public Law and Real Estate. With more than 50 practice groups focused on specific aspects of these areas, the firm is defined by its considerable knowledge base and proactive approach to addressing legal and business challenges.

For more information about LexisNexis products and solutions, connect with us through our corporate site