School Officials and Ed Tech Vendors
The School Official exception to FERPA, the federal student privacy law, allows schools to provide student data to principals, teachers and school employees to use for educational purposes. But what about contractors who may work for the school, like a bus company or an email service provider? The original sponsors of FERPA talked about “schools and their agents” on the Senate floor, but unlike almost all other later privacy laws the law itself does not directly address how to deal with vendors who might run a school cafeteria, or even parent volunteers who access data by working in a class room or calling parents on a class list. Nevertheless, schools have regularly used third parties of various sorts….bus companies, parent volunteers, year book publishers, photographers…and as tech needs evolved – internet service providers, on-line assignment tools, scheduling programs, emergency alert systems, back up data centers….and more. Schools and the Department of Education always considered these companies to be acting as de facto school employees providing a service as a vendor.
In 2008, DOE amended the FERPA rule to officially recognize this ongoing practice and to set boundaries around the use of vendors as school officials. DOE took formal comments on this issue as part of the rulemaking process and updated the rule. DOE made it clear that parent volunteers, bus companies, cafeteria operators and technology providers could act as de facto “School Officials”, as long as they perform an institutional service or function for which the agency or institution would otherwise use employees; are under the direct control of the agency or institution with respect to the use and maintenance of education records; and are subject to restrictions governing the use and re-disclosure of personally identifiable information from education records. In 2011, the rule was updated yet again with further clarifications.
Government agencies of every sort, like public schools today, rely on vendors for a wide range of services. Banks, hospitals, and businesses of every sort rely on vendors to handle tasks that those specialized providers can handle more effectively.. Contractual controls over how the data is collected, used, maintained and destroyed are the key factors to ensure the privacy and safety of data handled by these providers. Many new state student privacy laws now in effect now legally mandate these privacy rules for vendors.
The FERPA rule specifically calls for schools to have direct control over vendors. Many districts and postsecondary institutions comply with this by using using physical or technological controls to protect education records. Under the final regulations, districts and institutions may rely on contractual and administrative policies for controlling access to education records by school officials. The schools don’t need to be able to walk into the server rooms of vendors such as cloud providers or back up data centers, but they do need legally be in control of what happens to the data.
Some have called the school official designation for contractors a “loophole” that creates privacy risks because it allows vendors access to student data. But it is in effect simply a manner of designating a vendor to be acting as an agent of a school, in the same way the web site provider of a bank is in practice the “banker” a consumer is using to check their balance online.
Are vendors being properly restricted by schools, with proper contracts and controls as required? That’s a fair question to ask of schools and vendors. But the school official exception, if implemented properly, is a sound legal concept that is similar in concept to privacy laws in other sectors.
It is useful to re-read the text of the 2008 rulemaking by DOE, which demonstrates that the issues involved with the interpretation of the school official exception were thoroughly discussed. DOE used the interpretation of FERPA to set firm limits on the activities of vendors – who must be under direct control and whose contracts must clearly indicate that vendors can only use data for appropriate education uses
Following are selected portions of the DOE rulemaking discussion: read it for yourself and let us know what you think! (For ease of reading, we have edited out extensive side material that we didn’t think central to this discussion – read the full rulemaking at the link below.)
Outsourcing – Outside Parties Who Qualify as School Officials
Comment: A few commenters disagreed with the proposal to expand the “school officials” exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform. They believed that the modifications undermined the plain language of the statute and congressional intent. Several other commenters supported the proposed regulations, saying that it was helpful to include in the regulations what has historically been the Department’s interpretation of the “school officials” exception. A majority of commenters…raised a number of issues concerning the proposal. Several commenters expressed concern that the requirement that an outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive and impractical. …Several commenters asked that we clarify in the regulations that [it] also applies to school transportation officials, school bus drivers, and school bus attendants who need access to education records in order to safely and efficiently transport students. …
Discussion: The Secretary does not agree that the proposed changes go beyond the plain reading of the statute and congressional intent. … FERPA’s broad definition of education records includes records that are maintained by “a person acting for” an educational agency or institution. … We disagree with commenters that the requirement that the outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive or unworkable. The requirement serves to ensure that the “school officials” exception does not expand into a general exception to the consent requirement in FERPA that would allow disclosure any time a vendor or other outside party wants access to education records to provide a product or service to schools, parents, and students. …The statutory basis for expanding the “school officials” exception to outside service providers is that they are “acting for” the agency or institution, not selling products and services. …FERPA does not otherwise restrict whether a school may outsource institutional services and functions; it only addresses to whom and under what conditions personally identifiable information from students’ education records may be disclosed. Once a school has determined that an outside party is a “school official” with a “legitimate educational interest” in viewing certain education records, that party may have access to the education records, without consent, in order to perform the required institutional services and functions for the school. These outside parties may include parents and other volunteers who assist schools in various capacities, … where they need access to students’ education records to perform their duties. The disclosure of education records under any of the conditions listed … is permissive and not required. …Therefore, schools should always use good judgment in determining the extent to which volunteers, as well as other school officials, need to have access to education records and to ensure that school officials, including volunteers, do not improperly disclose information from students’ education records. …We think it would be impossible to provide a comprehensive listing and believe that agencies and institutions are in the best position to make these determinations. At the discretion of a school, school officials may include school transportation officials (including bus drivers), school nurses, practicum and fieldwork students, unpaid interns, consultants, contractors, volunteers, and other outside parties providing institutional services and performing institutional functions, provided that each of the requirements … has been met. … The Department has long recognized that FERPA does not prevent schools from outsourcing institutional services and functions …
Comment: Some commenters asked the Department to clarify what the term “direct control” means …. This section provides that in order to be considered a “school official” an outside party must be under the direct control of the agency or institution. Some commenters asked if this term means that the school must monitor the operations of the outside party, and how it affects an agency’s or institution’s relationship with subcontractors or third- or fourth-party database hosting companies. …One commenter stated that institutions should be required to verify that parties to whom they outsource services have the necessary resources to safeguard education records provided to them. …
Discussion: The term “direct control” … is intended to ensure that an educational agency or institution does not disclose education records to an outside service provider unless it can control that party’s maintenance, use, and redisclosure of education records. This could mean, for example, requiring a contractor to maintain education records in a particular manner and to make them available to parents upon request. … as discussed in the NPRM, educational agencies and institutions are responsible under FERPA for ensuring that they themselves do not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records, except in accordance with FERPA. This includes ensuring that outside parties that provide institutional services or functions as “school officials” … do not maintain, use, or redisclose education records except as directed … We believe that the use of the “direct control” standard strikes an appropriate balance in identifying the necessary and proper relationship between the school and its outside parties that are serving as “school officials.” … one way in which schools can ensure that parties understand their responsibilities under FERPA with respect to education records is to clearly describe those responsibilities in a written agreement or contract. Exercising direct control could prove more challenging in some situations than in others. Schools outsourcing information technology services, such as web-based and e-mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements …
Changes: We have revised (this section) to clarify that the outside party must be under the direct control of the agency or institution with respect to the use and maintenance of information from education records.
Protection of Records by Outside Parties Serving as School Officials
Comment: We received several comments (regarding) an outside party serving as a “school official” … subject to the requirement … regarding the use and redisclosure of personally identifiable information from education records. One commenter stated that …the proposed regulations did not go far enough to clarify that these outside third parties could not use education records …to engage in activities not associated with the service or function they were providing. …
Discussion: An agency or institution must ensure that an outside party providing institutional services or functions does not use or allow access to education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information. …FERPA regulations appl(y) to employees and outside service providers alike and prohibit the recipient from using education records for any purpose other than the purposes for which the disclosure was made. This includes ensuring that outside parties do not use education records in their possession for purposes other than those specified by the institution that disclosed the records. …
Control of Access to Education Records by School Officials
Comment: Many commenters supported (the) proposed (rule), which requires an educational agency or institution to use reasonable methods to ensure that school officials have access to only those education records in which the official has a legitimate educational interest. In this section, we also proposed that an educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the “legitimate educational interest” requirement. …
Discussion: (This section) requires that a parent or eligible student provide written consent for a disclosure of personally identifiable information from education records unless the circumstances meet one of the exceptions to consent, such as the release of information to a school official with a legitimate educational interest. Thus, a district or institution that makes a disclosure solely on the basis that the individual is a school official violates FERPA if it does not also determine that the school official has a legitimate educational interest. The regulations … are designed to clarify the responsibility of the educational agency or institution to ensure that access to education records by school officials is limited to circumstances in which the school official possesses a legitimate educational interest. We believe that the standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs. In order to establish a system driven by physical or technological access controls, a school would generally first determine when a school official has a legitimate educational interest in education records and then determine which physical or technological access controls are necessary to ensure that the official can access only those records. …The Department expects that educational agencies and institutions will generally make appropriate choices in designing records access controls, …(as) contractors are subject to the same conditions governing the access and use of records that apply to other school officials. … Schools have the flexibility to decide the method or methods best suited to their own circumstances… The regulations do not designate all volunteers as school officials. Rather, the regulations clarify that schools may designate volunteers as school officials who may be provided access to education records only when the volunteer has a legitimate educational interest. Schools can and should carefully assess and limit access by any school official, including volunteers. … FERPA prohibits school officials from having access to education records unless they have a legitimate educational interest.