By D|K’s School and Higher Education Law Team
A number of providers of online educational services and mobile applications rely on a Terms of Service Agreement (TOS) which require users to click to accept an agreement in order to access the service or application for the first time. Once clicked, the terms will likely govern what information the provider may collect from or about students, what the provider can do with the information, and with whom they may share it. Depending on the content, these agreements may lead to violations of the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, or other laws.
To protect student data from improper use and disclosure, the U.S. Department of Education recently issued guidance and a training video to assist school officials in evaluating potential TOS agreements and help them identify which online educational services and applications have strong privacy and data security policies and practices (see https://studentprivacy.ed.gov/ and http://ptac.ed.gov/document/protecting-student-privacy-while-using-online-educational-services-training-video).
The guidance makes recommendations, organized by terms of service, as follows:
- Data, defined: Beware of provisions that limit the definition of protected data, such as, “Data only include user information knowingly provided in the course of using (this service)” and provisions that narrowly define the “Data”, “Student Information”, or “Personally Identifiable Information” that will be protected. Rather, broader terms that capture the range of “Personally Identifiable” information should be used to protect student data. Such provisions should not be included in a TOS.
- Data De-Identification: Because data can be difficult to fully de-identify, the agreement should prohibit re-identification and any future data transfers unless the transferee agrees not to attempt re-identification. Language that states a provider may use de-identified data for product development, research, or other purposes should not be included in a TOS.
- Marketing and advertising: Terms of service agreements should be clear that data may not be used to create user profiles for purposes of targeting students or their parents for advertising and marketing, which could violate privacy laws.
- Modification of Terms of Service: Districts should maintain control of the data by preventing the provider from changing the terms without consent.
- Data collection: Agreements should include a provision that limits data to only what is necessary to fulfill the terms; otherwise vendors could potentially collect a wide array of student information.
- Data use: Districts should restrict data use to only the purposes outlined in the agreement. This will assist Districts in maintaining control over the use of FERPA-protected student information.
- Data sharing: While providers may use subcontractors, Districts should be made aware of these arrangements, and subcontractors should be bound by the limitations in the terms of service. Be cautious of language that states a provider may share information with third-party vendors or subcontractors.
- Data Transfer or Destruction: Language relating to transfer or destruction helps limit the amount of personal information available to third parties and prevents improper disclosure. Districts maintain control over the appropriate use and maintenance of FERPA-protected student information. Beware of language that reads “maintain(s) the right to use Data or user content”.
- Rights and License in and to Data: In addition to maintaining ownership of data, language stating the parties agree that all rights, including all intellectual property rights, remain the exclusive property of the District, will protect against a provider selling information. Make sure the TOS does not contain data stating that providing data or user contents grants the provider irrevocable rights to license, distribute, transmit or publicly display data or user content.
- Access: Federal student records laws require Districts to make education records accessible to parents. A good contract will acknowledge the need to share student information with the District upon request in order to satisfy parental access requirements under FERPA. Look for language that would limit a District’s access to the data held by the provider.
- Security controls: Failure to provide adequate security to students’ personally identifiable information is not a best practice and could lead to a FERPA violation.
The guidance also provides links to the Privacy Technical Assistance Center and other resources that offer other best-practice recommendations related to terms of service agreements.
If your District either provides online educational services or accesses such programs, the service agreements should be reviewed in light of this most recent guidance. Please contact your Davis & Kuelthau, s.c. attorney, to answer questions related to online educational programs and protection of student data.