Q: Our district is concerned about students’ privacy given the increase in virtual learning and utilization of third-party vendors in light of COVID-19. Is our district permitted to disclose personally identifiable information of students’ education records to third-party vendors, such as Clever?
A: Yes, third-party vendors, like Clever, are permitted to obtain personally identifiable information of students’ education records when the local educational agency (LEA) determines the vendor has a legitimate educational interest under the “school official” exception to the Family Educational Rights and Privacy Act (FERPA).
Clever is an online service provider that allows students and teachers to access personalized portals that include learning applications, access to student information systems, access to virtual and recorded instruction or lessons, or assessment programs. Schools and districts may rely on online vendors, such as Clever, to handle services they cannot efficiently provide themselves, particularly in circumstances like the present where online learning has increased due to COVID-19.
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records for those schools that receive funding under an applicable program of the United States Department of Education. 20 U.S.C. § 1232g; 34 CFR Part 99. Generally, local educational agencies must have written permission from a parent or eligible student in order to release any information from a student’s education record. However, FERPA permits disclosure of students’ education records, without consent, to, among others, school officials with legitimate educational interests. 34 C.F.R. § 99.31.
When schools and districts outsource institutional services or functions, FERPA permits that disclosure of PII from education records to third party vendors, like Clever, under the “school official” exception provided that the outside party: (1) performs an institutional service or function for which the school or district would otherwise use its own employees; (2) has been determined to meet the criteria set forth in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records; (3) is under the direct control of the school or district with regard to the use and maintenance of education records; and (4) uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA). See 34 C.F.R. § 99.31(a)(1)(i) (emphasis added). The legitimate educational interest must be set forth in the school or district’s annual FERPA notification.
The Texas Education Agency (TEA) has published guidance about Privacy and FERPA Considerations for Virtual Instruction, which is available at https://tea.texas.gov/sites/default/files/covid/covid-19_privacy_and_ferpa_considerations_for_virtual_instruction_april_2.pdf . Regardless of the type of online service, the TEA recommends the LEAs review contracts and other user agreements for software, online programs, and materials utilized by third-party vendors providing online services to ensure they meet applicable local, state, and federal policies, rules, and laws. Please contact your local school attorney if you seek additional information or have specific questions regarding privacy concerns related to virtual learning.