Below is a continuing series on security topics related to education technology and ClassLink. The original post is here.
Understanding Family Educational Rights and Privacy Act (FERPA)
Enacted by Congress in 1974, this federal law applies to schools and it governs the access and distribution of school educational records. The law differentiates between ‘Directory Information’ (e.g. student name or other information that would not generally be considered harmful or an invasion of privacy if disclosed) and ‘Personal Identifiable Information’ or PII (e.g. academic performance, student behavior, etc). Among other things, FERPA permits schools to disclose directory information without parent consent. The law prohibits schools from disclosing PII without a parent’s or eligible student’s written consent.
ClassLink and FERPA:
FERPA is a law that governs the actions of school leaders.
ClassLink helps ensure school leaders remain in compliance with FERPA by the following:
- ClassLink OneClick is the single sign-on element of the ClassLink system and it gives students and teachers instant ‘one-click’ access to all their online education resources from any device.
- ClassLink OneClick typically receives only student names and school network login usernames, which are widely accepted to be Directory Information, and thus ClassLink helps ensure school leaders remain FERPA compliant.
- ClassLink OneRoster is the class roster element of the ClassLink system and it enables access to class rosters by online education resource providers (Providers) selected by school instructional technology leaders. Providers typically require this information to create accurate login accounts for students and teachers into the online resources selected by school leaders.
- ClassLink OneRoster is architected such that class rosters are stored on a computer located on the school network, not with ClassLink. Using ClassLink OneRoster, school instructional technology leaders match the Provider to the appropriate class rosters and that data is sent directly from the school to the Provider. ClassLink does not accept or store the class rosters and thus ClassLink helps ensure school leaders remain FERPA compliant.
Understanding Child Internet Protection Act (CIPA)
Enacted by Congress in 2000, this federal law applies to schools and libraries. The law requires schools and libraries receiving E-Rate subsidies from the FCC to adopt and implement an Internet safety policy addressing children’s access to obscene or harmful content over the Internet.
ClassLink and CIPA
CIPA is a law that governs actions of school leaders.
ClassLink is itself a website and does not provide internet access. CIPA is not applicable to ClassLink.
Understanding Children’s Online Privacy Protection Act (COPPA)
Made effective by the Federal Trade Commission in 2000 this rule applies to commercial Web sites and online services. The rule requires parent consent for the collection, use, and disclosure of ‘Personal Identifiable Information’ or PII from children under age 13.
ClassLink and COPPA
COPPA is a rule that applies directly to ClassLink.
ClassLink helps ensure it meets the requirements COPPA by the following:
- ClassLink does not request or require PII from users of the system that are identified as students.
Understanding Student Privacy Pledge
Made effective in 2015 by an industry consortium including the Software and Information Industry Association (SIIA) and the Future of Privacy Forum, this pledge outlines a number of commitments related to the collection, use and storage of student personal information by school service providers.
ClassLink and Student Privacy Pledge
ClassLink is a long-time and active member of the SIIA and was an early signer to the Student Privacy Pledge. Our leadership is aware of the commitments in the pledge and we honor the promise we made to keep those commitments.
The commitments are as follows:
- Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.
- Not sell student personal information.
- Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students.
- Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student.
- Not make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution/agency, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements.
- Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student.
- Collect, use, share, and retain student personal information only for purposes for which we were authorized by the educational institution/agency, teacher or the parent/student.
- Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.
- Support access to and correction of student personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements or directly when the information is collected directly from the student with student/parent consent.
- Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
- Require that our vendors with whom student personal information is shared in order to deliver the educational service, if any, are obligated to implement these same commitments for the given student personal information.
- Allow a successor entity to maintain the student personal information, in the case of our merger or acquisition by another entity, provided the successor entity is subject to these same commitments for the previously collected student personal information.
As always, if you have questions just call us and we’ll be glad to cover these or any other topic in greater detail.
Founder and CEO