Blog Post
The value of data discovery in education technology
In an era where education and technology intertwine more closely than ever, the safeguarding of student data emerges as a critical concern. EdTech providers and educational institutions in the United States navigate a complex web of federal and state regulations designed to protect the sensitive information of learners. Yet, the stakes are high; a single breach can inflict financial and reputational damage costing millions.
This article delves into the shared responsibility of data privacy in the educational sphere, focused on the US, highlighting the pivotal role of data discovery in mitigating risks and ensuring compliance. As budgets tighten and regulatory pressures mount, understanding and managing student data becomes not just a legal obligation, but a cornerstone of trust in the digital learning landscape.
Student data privacy in EdTech
Both EdTech providers, and the schools and colleges that use their products and services are obligated to comply with multiple federal laws governing student information, as well as state-level statutes and school district requirements for data protection.
The costs to a school or EdTech provider suffering a breach of student data can be staggering. According to IBM’s Cost of a Data Breach Report 2023, breaches in education cost institutions an average of $3.65m.
From EdTech solution providers and education technologists to teaching staff supporting EdTech in schools and colleges, the security and privacy of student data is a shared responsibility.
Regulatory obligations of education providers
There are three key laws in the US that provide a framework for protecting student and children’s data — COPPA, FERPA and HIPAA.
The Children’s Online Privacy Protection Act (COPPA)
COPPA empowers parents to control the collection of personal information from their children below the age of 13. The law establishes requirements for operators of websites or online services that are either directed to children under 13 or knowingly collect personal information from children under 13.
Education technology providers must comply with COPPA by obtaining verifiable parental consent before collecting personal information from children. This includes the use of educational apps and websites in the classroom.
COPPA requires education technology providers and institutions to:
- Obtain parental consent before collecting personal information from children below 13 years of age
- Maintain a clear and comprehensive privacy policy detailing what information is collected from children, how it is used and how it is protected
- Implement appropriate data security controls to protect the confidentiality, security and integrity of children’s data
Family Education Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records across all educational institutions that receive federal funding. It gives parents certain rights with respect to their children’s education records, restricting access to these records and granting the right to review and request amendments to parents. These rights transfer to the student when they turn 18 or attend a school beyond the high school level.
FERPA requires federally funded education institutions to:
- Grant parents or eligible students the right to inspect and review their student records maintained by the school
- Enable parents or eligible students to request that records are corrected where they are inaccurate or misleading
- Obtain written permission from parents or eligible students to release any information from a student’s education record to a third party
Health Insurance Portability and Accountability Act (HIPAA)
While HIPAA has limited specific applicability to schools and education providers, there are some situations where student health records are held by schools when the law would apply — such as within a school clinic.
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA principles still play a vital role in contexts where healthcare providers interact with schools, safeguarding student health data with stringent confidentiality measures.
Learn more about HIPAA and the technical safeguards you need to know
Outside the US, local data protection and privacy laws such as GDPR and APA apply to schools, education institutions and education solution providers, and these organizations must uphold their legal obligations when collecting and processing children’s personal information.
Data awareness for cost-effective compliance
The increasing regulation of student data places a burden on schools and EdTech providers, where budgets are tight, and resources are limited. That’s where data discovery can help.
Data discovery identifies all locations of student data within IT systems. Rather than assuming data is stored only in the places it’s expected (such as student record or lesson support systems), data discovery uncovers information wherever it really is.
Rogue data often resides in email systems, on notepad applications, in call or video-conferencing recordings, and on screenshots. These may be stored on local machines, network systems or in cloud-based services. Such stores of data present a risk to schools, and their students, because security and privacy controls aren’t designed to protect them.
How data discovery supports student data privacy compliance
COPPA | FERPA | HIPAA | |
---|---|---|---|
Summary | Defines what commercial websites and online services must do to protect children’s privacy and safety online. | Aims to protect the privacy of student education records from unauthorized disclosure. | Within schools, applicable to student health records. This can include hired healthcare personnel working with students. |
Applicability for schools | Schools must ensure web/online services used or promoted by the school are COPPA compliant. | Schools must protect student records from unauthorised disclosure and grant student and parental rights to records. | Schools must ensure HIPAA compliant handling and processing of student health records entrusted to them. |
Applicability for EdTech | Solutions must ensure the privacy and security of children under the age of 13. | Solutions must enable schools to satisfy parent and student rights towards student records. | Solutions processing student health records must meet HIPAA guidelines for security. |
Data Discovery | Provides the foundation of data management for web and online EdTech service providers. | Provides assurance for schools and EdTech providers that student data is stored only in authorised locations; enables discovery and targeted mitigation of rogue data stores. | Provides assurance for schools and EdTech providers handling healthcare information that it is stored only in authorised locations; enables discovery and targeted mitigation of rogue data stores. |
How data discovery supports student privacy
Privacy is paramount when it comes to student safety and welfare. Identifying and remediating unexpected stores of student data minimizes the risk of data breach to the school, and the student.
Data discovery is the foundation of good data management. Periodic data discovery highlights where security efforts should focus, saving schools and EdTech providers scarce time, resources and money.
Advanced data discovery solutions such as Ground Labs Enterprise Recon offer remediation-in-place functionality to clean up and secure unexpected stores of data.
Request your complimentary Data Risk Assessment today and find out how Enterprise Recon can help your institution achieve and maintain COPPA and FERPA compliance.