The ‘School Official’ exception to FERPA, the federal student privacy law, allows schools to provide student data to principals, teachers and school employees to use for educational purposes.
But recent questions have been raised by stakeholders in the education marketplace as to whether this definition applies to such entities as contractors who may work for the school—such as a bus company—or an email service provider.
The original sponsors of FERPA, which was adopted in 1974, talked about “schools and their agents” on the floor of the U.S. Senate during deliberations on the draft law. But unlike almost all other later privacy laws, the law itself does not directly address how to deal with vendors who might run a school cafeteria, or even parent volunteers who access data by working in a classroom or by calling other parents on a class list.
Nevertheless, schools have regularly used third parties of various sorts—bus companies, parent volunteers, yearbook publishers, photographers. As digital technology expanded into education, these third parties began to include Internet service providers, online assignment tools, scheduling programs, emergency alert systems, back up data centers, and more.
Schools and the U.S. Department of Education always considered these companies to be acting as de facto school employees providing a service as a vendor.
In 2008, the department amended the FERPA rule to officially recognize this ongoing practice and to set boundaries around the use of vendors as school officials. Federal officials took formal comments as part of the rulemaking process and updated the law. The department made it clear that parent volunteers, bus companies, cafeteria operators and technology providers could act as de facto “school officials” as long as they:
- perform an institutional service or function for which the agency or institution would otherwise use employees;
- are under the direct control of the agency or institution with respect to the use and maintenance of education records, and;
- are subject to restrictions governing the use and re-disclosure of personally identifiable information from education records.
In 2011, FERPA was updated through regulatory guidelines yet again with further clarifications.
Government agencies of every sort—including today’s public schools—rely on vendors for a wide range of services. Banks, hospitals, and businesses also rely on third parties to handle tasks that specialized providers can operate more effectively. Contractual controls over how the data is collected, used, maintained and destroyed are the key factors to ensure the privacy and safety of data handled by these providers. Many new state student privacy laws that have come into effect now legally mandate these privacy rules for vendors that provide services to schools.
The FERPA rule specifically calls for schools to have direct control over vendors. In other words, schools are ultimately responsible for making sure that vendors have proper policies and safeguards in place about securing and deleting student data. Many districts and postsecondary institutions comply with this by using physical or technological controls to protect education records.
Under the most recent regulatory guidance on FERPA, districts and institutions may rely on contractual and administrative policies for controlling access to education records by school officials. The schools don’t need to be able to walk into the server rooms of vendors, such as cloud providers or backup data centers, but they do need to legally be in control of what happens to the data.
Some privacy advocates have called the “school official” designation for contractors a loophole that creates privacy risks because it allows vendors access to student data. But it is, in effect, simply a manner of designating a vendor to be acting as an agent of a school, in the same way the website provider of a bank is, in practice, the “banker” a consumer is using to check their balance online.
Yet, are vendors being properly restricted by schools, with proper contracts and controls as required?
That’s a fair question to ask of schools and vendors. But the school official exception, if implemented properly, is a sound legal concept that is similar in concept to privacy laws in other sectors. (For instance, if medical records in a hospital are hacked, the hospital would have a claim against the contractor, but patients would also have the right to file against the hospital.)
The department used the interpretation of FERPA to set firm limits on the activities of vendors—which must be under direct control of the school and whose contracts must clearly indicate that vendors can only use data for appropriate education uses. At the end of the day, the school must maintain control over all its data, no matter who it has shared it with, and under what authority.