Student Data Privacy Guidance

This tool is not legal advice

Consult an attorney to ensure program compliance with all federal, state, and local laws.

What is data privacy?

Data privacy refers to an individual’s right to control how personal information about them is collected and used, particularly by digital systems. It consists of two elements: confidentiality and security. Confidentiality refers to restricting authorized collection, access, use, and transfer of an individual’s personal data without their informed and affirmative consent. Security refers to keeping personal data effectively protected from unauthorized access by third parties. Both are necessary for maintaining data privacy.

What is student data?

In this document, student data refers specifically to students’ Personally Identifiable Information, or PII, which is any information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. This second point about linkages with other information is key: while a student’s surname, school, or grade level alone may not be enough to trace their identity, these three data points together can often uniquely identify a student. As a result, any information your program collects about students, including information collected on educational apps, is Personally Identifiable Information (PII), and is subject to additional restrictions and regulations.

What kinds of Personally Identifiable Information (PII) might a tutoring program collect as student data? 

Any data about a student’s identity that is particular to an individual student is PII. Types of PII/student data include:

  • Students’ Names
  • Dates of Birth
  • Parents’ Names
  • Home Addresses
  • Home Languages
  • Demographic Information
  • School & Grade Level
  • Education Records
  • Class Schedules
  • Special Needs (e.g. IEP Status)
  • School ID Numbers
  • Phone Numbers
  • Email Addresses
  • Online Usernames
  • Cookies & Device Identifiers

In short, your program will collect a lot of data about your students. Keeping this data private is exceptionally important.

Why does student data privacy matter?

Students have a right to privacy. Tutoring programs that seek to become part of a student’s educational support structure are asking students to trust them implicitly, and so your program must act in ways that preserve, even sanctify, that trust. But exposing students’ personally identifiable information to unknown and untrustworthy third parties violates their trust. And collecting, accessing, using, or sharing student data without their (or their parents’) written consent can expose your tutoring program to legal liability, so consult an attorney and spare no expense. This tool is not legal advice!

Federal Government Resources

Familiarize yourself with all resources available at Studentprivacy.ed.gov, especially the Responsibilities of Third-Party Service Providers (with a flyer for contractors) and Virtual Learning during COVID-19. There is a helpful Glossary, along with tools for Protecting Student Data Privacy While Using Online Educational Services such as Model Terms of Service

What important federal laws govern student data privacy?

While there is not yet a coherent federal law governing data privacy writ large, three key laws govern student data privacy.

FERPA (Family Educational Rights & Privacy Act): Schools can only share data with you for educational purposes. FERPA protects the access to and sharing of a student’s education record, which is all information directly related to a particular student as part of their education. It gives parents specific rights to their child’s education records until the child turns 18, and restricts who else can access them. Most importantly for tutoring programs, FERPA contains a “school official” exception allowing schools to share student data with volunteers, companies, or other vendors (i.e. community- based organizations such as tutoring programs), but only when used for educational purposes directed by the school.

COPPA (Children’s Online Privacy Protection Act): Only use data for educational purposes, and obtain consent first. COPPA requires organizations to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting any information from children under 13. Teachers and other school officials are authorized to provide this consent on behalf of parents for use of an educational program, but only for use in the educational context. This means the organization can only collect personal information from students for its specified educational purpose, keep it only as long as necessary for that purpose, and use it for no other commercial purpose.

PPRA (Protection of Pupil’s Rights Amendment): Let parents opt-out of any student surveys about sensitive topics. The Protection of Pupil Rights Amendment (PPRA) is a federal law that affords certain rights to parents of minor students with regard to surveys that ask personal questions. Schools must be able to show parents any of the survey materials used, and must obtain written consent from parents for any surveys that deal with the following sensitive categories:

  • Political affiliations;
  • Mental and psychological problems potentially embarrassing to the student and their family;
  • Sex behavior and attitudes;
  • Illegal, self-incriminating, anti- social, and demeaning behavior;
  • Critical appraisals of other individuals with whom respondents have close family relationships;
  • Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • Religious practices, affiliations, or beliefs of the student or student's parent; or
  • Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance).

Confidentiality Guidance: Proactive Measures for Programs to Take

Keeping student data private requires robust confidentiality practices. Confidentiality requires both clear systems and aligned everyday practices. The list below suggests baseline expectations for both, particularly for avoiding common pitfalls. It is not exhaustive, nor is it a replacement for legal advice from an attorney, but it offers some basic advice.

  • Build Confidentiality into your Systems and Structures.
    • Familiarize yourself with all federal, state, local, and even partner district- or school-level policies.
    • Create an exhaustive internal data policy that outlines guidance for how employees can use student data.
      • Consider starting with the Student Privacy Pledge as a fundamental baseline for your policy.
      • Create a public-facing privacy policy with legal advice and guidance from an attorney.
      • Include clear guidance for how and when to share data, e.g. how to ensure emails are encrypted.
      • Dedicate time and resources to ensure that all student data you collect is stored securely.
      • Include a detailed Data Breach Response Policy for what to do if something goes wrong.
    • Train all program staff, including tutors, on data privacy legal requirements and program expectations.
      • Establish norms of confidentiality with explanations of the exceptions (e.g. Mandated Reporting).
    • Outline data sharing agreements with school staff clearly in a signed Memorandum of Understanding.
      • Clearly state which educational apps have been approved and how they will be used for tutoring.
    • Create handbooks for families in plain language that outline what data you will collect, how the data will be used, who can access the data, with whom it can be shared, and what families’ rights are under the law.
      • Best practices include translating it into common home languages and asking for signed approval.
  • Maintain Confidentiality in Everyday Practice.
    • Hold tutors and program staff accountable for expectations about responsible use of student data.
    • Be transparent with students about why you need (or want) whatever information you ask them for.
    • Verify identities before sharing any information about a student. For example, do not reveal information about a student over phone or text message, even to a phone number you have on file for their parent or legal guardian, before first confirming that you have the right number and have reached the right person.
    • Whenever feasible, communicate with students and parents through end-to-end encrypted protocols.
    • Whenever feasible, block all online tracking and advertising on any devices you require students to use.
    • Never require students to use software that tracks or targets them with personalized ads (e.g. personal Gmail or YouTube accounts). If software is important enough to require it, get an enterprise or education edition.

Security Guidance: Common Mistakes for Users to Avoid

Keeping student data private requires strong digital security practices. This list will help you avoid common mistakes that can leave your students’ data vulnerable to online attackers. Both program staff and tutors should follow these guidelines. This list is not exhaustive, nor is it a replacement for hiring an information security expert, but it offers some basic advice.

  • Physical Device Security: Keep your devices under your control, or else you cannot secure the data on them.
    • Set up Mobile Device Management (MDM) for your program’s equipment. This not only helps keep software up-to-date and secure, but also enables location tracking and remote data wipes of lost devices.
    • Use a dedicated device for work. Don’t recreationally browse the web on devices that have student data.
    • Don’t leave a device unattended without logging out or locking it. This applies regardless of location. If you use a device to access student data, lock it when you step away, and log back in when you return.
    • Don’t write down login credentials. A sticky note on your monitor is not secure information storage. And if your login credentials are not kept secure, neither is any of the data that you use them to access.
  • Password Security: Use long and unique passwords, and keep them to yourself.
    • Don’t rely exclusively on passwords. Getting them right is hard. Use 2-factor authentication if possible.
    • Don’t use weak passwords. Weak passwords are:
      • Short: Any password shorter than 10 characters is essentially worthless, because an automated attack can guess it instantly. Long passwords are strong passwords, and best of all are memorable multi-word passphrases. 16 characters is a safe balance between convenience and actual security.
      • Reused: Never reuse passwords. Your password on one service should be completely different from your password on any other service. This prevents a cascade failure where a security breach in any one service compromises all your accounts across every service. It is highly recommended to use password manager software to create and securely store a unique password for every service.
      • Commonplace: Avoid common words. Words that many people typically use as passwords, like “Password1!” or any permutations of it, are never safe to use. These passwords will be among the very first guesses an automated attack will make, and as a result will be compromised instantly.
    • Don’t share login credentials. Common mistakes here include:
      • Multi-person accounts: No two people should use the same username and password to log in to a service. Do not share your account credentials with colleagues, and do not let them share theirs with you. Sharing accounts compromises both security and accountability if things go wrong.
      • Saving students’ passwords: Your students’ passwords are theirs, not yours. While it may be tempting to record student passwords in a spreadsheet for convenience, that spreadsheet becomes a high-value target. If it gets compromised, so does every student account. And since they may have reused their passwords elsewhere, their personal accounts may now be compromised too.
      • Falling for phishing: Only enter your password into the actual login page for that service. Check the URL, and watch out for unsolicited emails with links to similar-looking web pages that ask you to log in. Report any such emails, and do not enter your credentials into any fake login pages!
  • Digital Systems Security: Keep all student data inside your secure system, or else all its security is meaningless.
    • Don’t save student data to personal/shared devices. If you must use a shared device, use incognito or private browsing, log out of all accounts afterwards, and don’t download student data to the device itself.
    • Don’t save student data to flash drives. Use enterprise-grade cloud storage to sync data across devices.
    • Don’t save student data to personal email or cloud storage accounts (e.g. Gmail & Google Drive). Because they are used for data harvesting, consumer-grade accounts lack adequate privacy protections. 
    • Don’t make shared documents publicly accessible. “Anyone with the link” is never the right choice for sharing any student data. Restrict document access to specific users, or at least to your own organization.