To Clancy, much of the battle is educating vendors on the importance of student data privacy and the legal obligations schools have. The education and research sector has been the most-targeted industry by cyber attacks worldwide, with an average of 3,086 attacks per organization, according to August 2024 research from the software company Check Point. Clancy pointed to 2023 research suggesting that the average data breach incident costs $3.65 million to remedy, putting district finances as well as student data at high risk.
“A lot of times, when working with vendors, it’s just a matter of educating them,” she said. “Especially those who didn’t set out to be in the education space, they often have no idea about their legal obligations.”
LEGAL OBLIGATIONS
The Family Educational Rights and Privacy Act (FERPA) grants rights to education records, including control over who can access personally identifiable information, to parents and students 18 years or older. Under FERPA, schools must ensure student data is used only for educational purposes.
The Children’s Online Privacy Protection Act focuses on services for students under the age of 13, requiring parental consent before collecting personal information. School districts can act on behalf of parents and provide consent for educational tools, but contracts must clearly define how vendors collect, use and store student data.
In California, the Student Online Personal Information Protection Act prohibits vendors from using student data to create student profiles or target advertising.
DATA PRIVACY AGREEMENTS
Navigating all these requirements, their overlap and how they apply to each use can be tricky, but it will certainly include a data privacy agreement, Clancy said. A DPA is part of a vendor contract that includes data use limitations — which might include those uses prohibited by law — as well as breach-response timelines and compliance with evolving laws.
The DPA should position vendors as custodians, rather than owners, of all student data, leaving ownership to the education agency, Clancy said. It should establish terms for their data practices, including a provision that parents or guardians retain access to and control over student data, and a promise to update these in the future.
Clancy said sometimes these two points can confuse vendors. For example, she once received a draft vendor contract that removed a paragraph requiring parental access to student data. The vendor argued that they did not directly access the data, so it didn’t make sense to include the paragraph. Clancy said that the provision is still important to include in case something changes in the future.
“Because their practices can change at some point, we need to make sure that they’re still being compliant,” she said. “They could sign this one day and then change everything the next.”
Breach notification — how and when vendors notify the education agency in the case of a data breach — should also be explicit in the DPA. Legally, vendors must notify their education partners “without undue delay,” which is up to interpretation.
Clancy said contract negotiators at CITE typically start with a promise to notify within 72 hours of a confirmed breach. Sometimes, vendors don’t understand that the time it takes to investigate and confirm a breach is not included in those 72 hours, and the clock starts only when they’re sure, she said. If vendors are still pushing back on the timeline, Clancy said CITE will typically counter with three business days and, on occasion, five business days.
Other important points for DPAs include provisions for data security standards, data deletion and emerging technologies. These areas are slightly more legally flexible, Clancy said, and some organizations offer certifications for tech companies meeting certain student data security best practices. For data deletion, a common agreement is that the vendor will delete data from its storage at the termination of the agreement.
RESOURCES
CITE keeps a database of signed DPAs between vendors and education agencies that are legally compliant. Within those contracts, a section called Exhibit E allows other education agencies to piggyback off the agreement, saying the vendor will offer the same privacy protections in the given DPA to other education agencies who sign. CITE also houses a standard data privacy agreement on their website for education agencies to use as a template.
These resources can help education agencies reach data privacy agreements quickly and without much back and forth, Clancy said, but if it comes down to negotiations, she recommends taking a “just because you’re right doesn’t mean I’m wrong” mindset.
“Both sides come from different areas of expertise,” she said. “The best thing you can do is listen and understand the concerns of the other party.”
