Parents » Student Privacy Update

Student Privacy Update

The U.S. Department of Education (Department) believes that every student in America deserves a high-quality education in a safe environment. As we head toward the end of the calendar year, we are thankful for your work, and want to remind you that the Department’s Student Privacy Policy Office (SPPO) and its Privacy Technical Assistance Center (PTAC) are here to assist you with any of your privacy-related questions or concerns. This newsletter highlights some of our resources and informs you of some recent engagements and presentations.

New Resources 

The Student Privacy Policy Office is finalizing a four-year review of 1,504 local education agencies (LEAs) websites to identify whether, and if so, how they include information about student privacy. In each year of the study, SPPO reviews a nationally representative sample of 376 LEA websites, focusing on whether the LEAs included key student privacy documents and information about the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) on the LEA website, as opposed to on individual school, board of education, or other websites. This report includes the first three years of research findings.

SPPO provides annual notification to state educational agencies (SEAs) and local educational agencies (LEAs) regarding the educational agencies’ obligations under the FERPA and PPRA. The annual notification, which is required by 20 U.S.C. § 1232h(c)(5)(C), has not substantively changed since it was last issued. The notification may be accessed via our website and is also attached to this listserv announcement.

The Protection of Pupil Rights Amendment, or PPRA, is a federal law that provides certain rights for parents of students regarding, among other things, student participation in surveys; the inspection of instructional material; certain physical exams; and the collection, disclosure, and use of personal information for marketing purposes. This video provides information about these rights, the responsibilities of local education agencies (LEAs) under the law, and what to do if a parent thinks those rights have been violated.

Spotlight on PPRA Resources

As you review our new video, What is the Protection of Pupil Rights Amendment?, you may find you need additional information on the topic. SPPO would like to remind you of our existing related resources:

  • Protection of Pupil Rights Amendment (PPRA) General Guidance, released November 2020, reviews parents’ rights under the PPRA and education officials’ obligations in implementing the PPRA.  The PPRA applies to the programs and activities of a state educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education. (20 U.S.C. § 1232h, 34 CFR Part 98).
  • Protection of Pupil Rights Amendment (PPRA) Complaint Form: The United States Department of Education's (Department) Student Privacy Policy Office (SPPO) reviews, investigates, and processes complaints of alleged violations of the Protection of Pupil Rights Amendment (PPRA). 20 U.S.C. 1232h and 34 CFR Part 98. If you believe your or your child’s rights under PPRA have been violated, you may submit a complaint using the hyperlinked form.

Where Has SPPO Been?

In this section, we want to share information and highlights from a sampling of our recent presentations and engagements and remind you that you can request our (free!) services for your meeting or training. Go to our webpage to submit a request, https://studentprivacy.ed.gov/request-ptac-training-or-technical-assistance.

  • South Carolina Technology Conference
    • In October 2021, PTAC returned to the field to provide in-person intensive technical assistance in South Carolina, presenting on a wide range of student data privacy and security related topics including data sharing under FEPRA, data security best practices, disclosure avoidance and data breach incident response training.
  • Vermont Data Privacy & Cybersecurity Training
    • PTAC continued reestablishing its in-person technical assistance presence by conducting a two-day workshop in Montpellier Vermont. PTAC conducted four sessions on each day including A FERPA 201 presentation that revolved around navigating advanced FERPA, best practices for vetting EdTech and a multifaceted cybersecurity presentation that provided an overview of the threats to K12 education and a facilitated tabletop exercise on incident response. Conference facilitators and attendees provided high praise for the quality and breadth of the information shared, specifically noting the resulting raised awareness around complex privacy topics.
  • SLDS Best Practices Conference
    • In November 2021, PTAC presented at the annual Statewide Longitudinal Data Systems (SLDS) Best Practices Conference. Prior to the main session, PTAC facilitated a pre-conference virtual workshop emphasizing the essential components of a privacy plan, the key elements of a data breach response plan, and the importance of transparency. PTAC’s main session highlighted how two states (i.e., Washington and Hawaii) are addressing both heightened SLDS data requests in the wake of the COVID-19 pandemic and the increased threat from actors seeking to compromise state and local data systems.
  • Southeast Education Users Group Conference
    • In November, PTAC provided a privacy and cybersecurity track for the Southeast Education Users Group Conference. Sessions provided included FERPA 101, FERPA 201, Vetting Educational Technology on Campus, Data Security Best Practices, and a facilitated Data Breach Response exercise.

Cybersecurity Notice

**Attention K-12 Educational Leaders, CIOs, CTOs, Tech Directors, and School-Based IT Professional**
Please take time to familiarize yourselves with the “log4j/log4shell” vulnerability that may impact enterprise services, websites, and applications your state, district, and/or schools are currently using. This vulnerability has been rated the highest level of criticality (10/10) in terms of how exploitable it is. Cybersecurity & Infrastructure Security Agency (CISA) and partners are working to address the critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library with a new webpage dedicated to the topic: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

  1. Share this information widely across your SEA, LEA, and other intermediaries (e.g., ESAs).
  2. Refer to the CISA webpage for up-to-date information, including any available patches.
  3. Share your learnings with us.

Website Updates

SPPO continues to improve your experience on our website, occasionally compiling related resources or revisiting our cataloguing schema. During the current pandemic, we published multiple resources to help educational agencies and institutions navigate the multitude of privacy issues that have arisen during this time. This month, we want to bring your attention to our new landing page on COVID-19 and Virtual Learning Resources where these resources have been assembled.

If you have questions or ideas on how to improve the website, please don’t hesitate to contact us at PrivacyTA@ed.gov.

Don't Forget the Help Desk!

If you have a question related to student privacy, including those involving FERPA or PPRA, and can’t find an answer on our Student Privacy website (https://studentprivacy.ed.gov), don’t forget you can contact us! The Student Privacy Help Desk, available via email or phone, is staffed by professionals with deep knowledge of the law as well as its practical applications. Please contact us with your questions at PrivacyTA@ed.gov or 1-855-249-3072.