Under the Family Educational Rights and Privacy Act (FERPA), a federal law passed 50 years ago, schools are legally responsible for protecting student records, Lemke said, most of which are now digital and often fall under the purview of district tech teams.
“You may not deal with students on a day-to-day basis, but these systems that you deal with, these systems hold student data,” Lemke said. “'Student data,' maybe not the right word for it — it’s information about children.”
As manager of the U.S. Department of Education Privacy Technical Assistance Center (PTAC) for more than a decade, Lemke said he helps schools come into compliance with FERPA requirements, and that he’s seen all kinds of mistakes when it comes to protecting children’s information.
“A lot of times these are minor errors, nobody’s ever going to know about them, it’s not going to hurt anybody. But sometimes it does,” Lemke said. “These mistakes can sometimes lead to problems that can actually seriously harm children.”
For example, he said one district posted a transportation list, pulled from a school software system, that accidentally contained Individualized Education Plan (IEP) data, including a student with an IEP for emotional disturbance.
“That information is on the Internet today. So, years from now, if you’re a potential employer Googling this student, or if you’re a parent of a girl this student is trying to date, is this going to affect how you view this child?” Lemke asked. “One error by a school employee that probably didn’t know any better has caused a potential lifetime of harm for this child.”
To help prevent the accidental exposure of such protected information, Lemke said everyone who handles student data should be trained on the ins and outs of FERPA and its importance. He added that PTAC can help, as the center provides free FERPA training for schools and runs a student privacy hotline.
One issue Lemke said he’s seen much confusion around is whether certain photos and videos count as part of a student’s protected education record. That confusion led the Department of Education to post answers to frequently asked questions about how FERPA pertains to photos and videos, he said. Lemke called it “one of the single most important documents the department has come out with.”
Outside of more and better training on this and other FERPA topics, Lemke said district tech teams must shore up school cybersecurity to prevent student data breaches and carefully vet the privacy practices of any ed-tech vendors. He said the onus is ultimately on schools, not vendors, to comply with FERPA and protect student data.
“What this privacy law tells you to do is, it tells you to safeguard student information. But you shouldn’t need a law to tell you this. You should do it because it is the right thing to do,” Lemke said. “Because if this information is used improperly or is improperly released, you could cause harm to children.”
