Student Privacy Update
SPPO provides annual notification to state educational agencies (SEAs) and local educational agencies (LEAs) regarding the educational agencies’ obligations under the FERPA and PPRA. The annual notification, which is required by 20 U.S.C. § 1232h(c)(5)(C), has not substantively changed since it was last issued. The notification may be accessed via our website and is also attached to this listserv announcement.
The Protection of Pupil Rights Amendment, or PPRA, is a federal law that provides certain rights for parents of students regarding, among other things, student participation in surveys; the inspection of instructional material; certain physical exams; and the collection, disclosure, and use of personal information for marketing purposes. This video provides information about these rights, the responsibilities of local education agencies (LEAs) under the law, and what to do if a parent thinks those rights have been violated.
Spotlight on PPRA Resources
As you review our new video, What is the Protection of Pupil Rights Amendment?, you may find you need additional information on the topic. SPPO would like to remind you of our existing related resources:
- Protection of Pupil Rights Amendment (PPRA) General Guidance, released November 2020, reviews parents’ rights under the PPRA and education officials’ obligations in implementing the PPRA. The PPRA applies to the programs and activities of a state educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education. (20 U.S.C. § 1232h, 34 CFR Part 98).
Where Has SPPO Been?
In this section, we want to share information and highlights from a sampling of our recent presentations and engagements and remind you that you can request our (free!) services for your meeting or training. Go to our webpage to submit a request, https://studentprivacy.ed.gov/
- South Carolina Technology Conference
- In October 2021, PTAC returned to the field to provide in-person intensive technical assistance in South Carolina, presenting on a wide range of student data privacy and security related topics including data sharing under FEPRA, data security best practices, disclosure avoidance and data breach incident response training.
- Vermont Data Privacy & Cybersecurity Training
- PTAC continued reestablishing its in-person technical assistance presence by conducting a two-day workshop in Montpellier Vermont. PTAC conducted four sessions on each day including A FERPA 201 presentation that revolved around navigating advanced FERPA, best practices for vetting EdTech and a multifaceted cybersecurity presentation that provided an overview of the threats to K12 education and a facilitated tabletop exercise on incident response. Conference facilitators and attendees provided high praise for the quality and breadth of the information shared, specifically noting the resulting raised awareness around complex privacy topics.
- SLDS Best Practices Conference
- In November 2021, PTAC presented at the annual Statewide Longitudinal Data Systems (SLDS) Best Practices Conference. Prior to the main session, PTAC facilitated a pre-conference virtual workshop emphasizing the essential components of a privacy plan, the key elements of a data breach response plan, and the importance of transparency. PTAC’s main session highlighted how two states (i.e., Washington and Hawaii) are addressing both heightened SLDS data requests in the wake of the COVID-19 pandemic and the increased threat from actors seeking to compromise state and local data systems.
- Southeast Education Users Group Conference
- In November, PTAC provided a privacy and cybersecurity track for the Southeast Education Users Group Conference. Sessions provided included FERPA 101, FERPA 201, Vetting Educational Technology on Campus, Data Security Best Practices, and a facilitated Data Breach Response exercise.
**Attention K-12 Educational Leaders, CIOs, CTOs, Tech Directors, and School-Based IT Professional**
Please take time to familiarize yourselves with the “log4j/log4shell” vulnerability that may impact enterprise services, websites, and applications your state, district, and/or schools are currently using. This vulnerability has been rated the highest level of criticality (10/10) in terms of how exploitable it is. Cybersecurity & Infrastructure Security Agency (CISA) and partners are working to address the critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library with a new webpage dedicated to the topic: https://www.cisa.gov/uscert/
- Share this information widely across your SEA, LEA, and other intermediaries (e.g., ESAs).
- Refer to the CISA webpage for up-to-date information, including any available patches.
- Share your learnings with us.
SPPO continues to improve your experience on our website, occasionally compiling related resources or revisiting our cataloguing schema. During the current pandemic, we published multiple resources to help educational agencies and institutions navigate the multitude of privacy issues that have arisen during this time. This month, we want to bring your attention to our new landing page on COVID-19 and Virtual Learning Resources where these resources have been assembled.
If you have questions or ideas on how to improve the website, please don’t hesitate to contact us at PrivacyTA@ed.gov.
Don't Forget the Help Desk!
If you have a question related to student privacy, including those involving FERPA or PPRA, and can’t find an answer on our Student Privacy website (https://studentprivacy.ed.gov
), don’t forget you can contact us! The Student Privacy Help Desk, available via email or phone, is staffed by professionals with deep knowledge of the law as well as its practical applications. Please contact us with your questions at PrivacyTA@ed.gov or 1-855-249-3072.