Original Posting 18.09.17
Stating concern for privacy, schools sometimes will not get involved in data sharing with community organizations or initiatives. Although permissible under federal law, the schools struggle with this change – whether from having an insular culture, resistance to change or a fear of increasing liability. The U.S. Department of Education is now providing guidance for how districts can work within the United States’ student-data-privacy law - the Family Educational Rights and Privacy Act (FERPA). They recommend that schools understand that integrated data system implementation is a multistep process. Each of the steps should be justified using the appropriate exception written into FERPA.
A few helpful concepts:
- "School Official" Exception: A provision that allows a district to share educational records with third parties as part of outsourcing a service that it lacks the capacity to perform itself, such as sharing identifiable records with an integrated data warehouse that links with other administrative data.
- "Studies" or "Audits and Evaluation" Exceptions: A provision where schools give permission for analysis of de-identified records from the data warehouse by approved researchers. Note that research projects must have an instructional benefit for the schools involved.
- Data Sharing Agreements: The process must include written agreements that detail all the terms of the relationships. School districts are responsible for protecting the education records they disclose.
- Parent Consent: Records that have “identifiable” data that allows a child to receive appropriate interventions can’t be shared without parental consent. So if servicing the child to improve outcomes requires sharing of specific child records, a signed parent consent process must be implemented before this data is shared. Under FERPA, if the department is the legal guardian of the child, such as those in foster care or other court-ordered placements, then the department has the right to access their educational records.
- Security Protocols: Access to the data warehouse should be limited and school districts should generally have no access into individual records with the child’s data in this warehouse. They will receive information that has been aggregated where no child can be identified. This aggregated information is also often shared with other participating organizations and agencies, often with a “Community Report Card” approach as part of a continuous improvement effort.
Here is a nice checklist from the U.S. Department of Education’s “Data-Sharing Tool Kit for Communities: How to Leverage Community Relationships While Protecting Student Privacy” - a resource full of good tips for school districts.
Getting Started: A Quick Checklist for the School
- Establish criteria in the annual notification of FERPA rights about who is a “school official” and what constitutes “legitimate educational interests.”
- Determine if the disclosure is to a school official who has a legitimate educational interest in the education records.
- Use reasonable methods to ensure that school officials obtain access to only those education records in which they have a legitimate educational interest.
- If outsourcing school services or functions to a third party, make sure your third party does the following:
- Performs a service or function for which the school would otherwise use employees
- Is under the direct control of the school regarding the use and maintenance of education records
- Complies with the PII from education records use and re-disclosure requirements
COMET is pleased to support a number of communities in their data sharing efforts. Check out our Community Data Sharing resource for more information. If you’re struggling to connect with your local school district, contact us. We have lots of experience working through these data sharing agreements.