The Family Educational Rights and Privacy Act (FERPA) is one of the strongest privacy protection laws in the United States. Educational records fall under the protection of FERPA, which defines educational records as any and all records a school or educational agency maintains about students.
The Children’s Online Privacy Protection Act (COPPA) also governs student data privacy from the perspective of security when engaging with cloud services.
What does this mean for childcare businesses? It means you are considered an educational agency and all records kept on the children in your care are considered educational records per FERPA, and are required to be kept according to FERPA requirements. Any cloud solution you use must meet COPPA requirements.
What are educational records?
FERPA has published a list of the types of records that fall under its purview. The list includes printed and handwritten documents, video and audio files and recordings, microfilm, and microfiche with the following information.
- A student’s birthdate, place of birth, and the address and emergency contact information of parents or guardians.
- A student’s test scores, courses, academic specializations and activities, as well as official letters about the student’s status in school.
- Special education records.
- Disciplinary records.
- Medical and health records created, collected, and maintained by the school.
- Documentation of attendance, schools attended, courses taken, awards conferred, and degrees earned.
- Personal information including student identification codes, social security number, picture, or other information that can be used to identify or locate the student easily.
While your facility may not create, collect or maintain all of this information, you are required to keep anything that is considered an educational record private and secure.
For a preschool that includes immunization records and emergency contact information along with all other information about each child and its parents. Afterschool care must secure information about the classes each student has taken or is taking currently. A day camp must keep all information private about the kids who participate in the camp.
Any institution that could be termed an educational agency or school must meet the data privacy and security requirements.
FERPA vs. COPPA
FERPA prohibits the disclosure of personally identifiable information by the school, typically part of the educational records. The only way the information may be released is if the school asks parents or guardians to sign and date a written consent for that release. The only time a release is not required is if a FERPA exception applies.
COPPA covers the operators of websites and online services targeted at children age 13 and under, as well as operators of general audience websites or online services that know one or more users are under the age of 13. If a school has a contract with a cloud-based provider that, in turn, uses student data for marketing, the school may violate COPPA.
FERPA exceptions
The law allows for certain exceptions to the rule of obtaining parental signatures and permission to share information. Schools may release information to specific agencies or parties. There are also a few circumstances under which the information may be released.
- Information can be released to a school to which the student is transferring.
- School officials with a legitimate educational interest may receive educational records.
- Educational records may be released to appropriate officials for evaluation or auditing purposes.
- Agencies connected with financial aid for the student may request and receive educational records.
- Accrediting organizations are allowed access to educational records.
- If the school is complying with a judicial order or lawfully issued subpoena, the educational records may be released without written permission from a parent or guardian.
- Health and safety emergencies are acceptable situations under which the records may be released to appropriate officials.
- The state and local authorities from the juvenile justice systems may access the information according to state law.
Any party requesting student educational records outside of these exceptions must obtain the written permission of the parent or guardian of the student in question.
What about school directories?
The law allows information to be disclosed through a directory, including such data as the student’s name, address, phone number, date and place of birth, honors and awards, and attendance dates. The school must allow parents sufficient time to opt out of such disclosure before making the information public.
Since the facility must notify parents of their rights under FERPA annually, educational facilities often notify parents at the beginning of each school year and provide an opt-out form with other back-to-school documentation.
Does your childcare management software maintain compliance to FERPA and COPPA?
Between the alarms raised by parents who were unaware of student data aggregation and the multiple data breaches that have been in the news, the question of security is of paramount importance to daycare, preschool, afterschool care, and camp facilities.
The good news is that cloud-based childcare management software solutions, such as EZChildTrack, are some of the most secure networks available to keep educational records and student data private.
A cloud-based system stores no information on any device used by an educator or staff person employed by an educational facility. The solution is accessed with secure passwords and other safety protocols via a web browser. As long as the user is not logged into the system, the data cannot be lost through the theft of a device.
Also, unlike decades past, there are no boxes, files, or binders with private information available to steal from any facility. No data resides on the hard drive or memory card of an electronic device such as a laptop or smartphone. If a break-in occurs and electronics are taken from your facility, you do not need to worry about a data breach by hackers using stolen devices.
All student data securely resides at the data center used by the software vendor. Multiple physical and electronic features protect these data centers from firewalls to guards. The data is encrypted as it passes from the device to the database, making it virtually unhackable.
Unless you or your staff deliberately release a student's information, it remains private.
As a daycare, preschool, afterschool care, or camp operator, your business falls under the umbrella term of an educational agency. The records you create, collect, and maintain on every student must be protected per FERPA and COPPA.
Implementing a cloud-based childcare management software solution is the easiest, more secure method of maintaining the privacy of the educational records you can choose.