The document discusses the rewards and risks schools face when adopting cloud-based data storage and analytics solutions. It notes that while these technologies can provide educational benefits, they also carry significant legal and privacy risks if student data is not properly protected. Schools must comply with various federal and state student privacy laws like FERPA, COPPA, and California-specific regulations. Selecting technology providers that can meet the requirements of these laws is important. Overall, the landscape of education technology and data privacy is complex, so schools should work with legal experts to help navigate these issues.

1. GAMABrief:
When Education Meets Big Data
The move by many schools to adopt cloud-based data storage and data analytics solutions is unsurprising, since
schools can generate significant pedagogical value through use of these technologies. With these rewards come broad
risks associated with legal and regulatory data privacy compliance. Given the slew of recent retail industry data
breaches making national headlines, the risks of data collection and storage are immediately apparent. With data
privacy on everyone’s mind, there has never been a better time for school administrators to fully evaluate and address
their student data privacy policies.
Big
Data
and
Educa-on:
The
Rewards
According to one recent study, “[n]early 90 percent of K–12 institutions report[ed] using one or more cloud-based
applications.” Data storage and analytics can provide powerful pedagogical tools. In fact, “data analytics is identified as
one of the two most important emerging technology trends in the coming two- to three-year ‘horizon’ for learning.”
The rewards are evident – data driven education can help differentiate coursework in a highly targeted and
automated way never previously possible. Analytics can help teachers assess student progress faster, saving teachers’
valuable time.
Big
Data
and
Educa-on:
The
Risks
Like any organization that collects and stores user data, schools must abide by certain national- and state-level
regulations, including avoiding deceptive business practices under the Federal Trade Commission’s (FTC) regulatory
scheme, abiding by data breach notification laws, and, in California, maintaining separate privacy policies for any mobile
applications and identifying in any website privacy policies how the site handles do-not-track browser settings.
Schools are unique and face an even greater data privacy burden under the Children’s Online Privacy Protection Act
(COPPA) and the Family Education Rights and Privacy Act (FERPA).
The patchwork of laws and regulations at all levels makes the increasing collection of student data all the more risky.
For schools, a full understanding of relevant privacy laws—specifically FERPA—is imperative before engaging in the
collection, analysis or storage of student data.
Cloud
Storage,
Data
Analy-cs
&
FERPA
The Family Education Rights and Privacy Act (FERPA) restricts the disclosure of student records that are maintained by
educational institutions who receive funds from the Department of Education. Generally speaking, FERPA allows
disclosure of personally identifiable information (PII) from a student’s education record only with consent from that
student’s parent or guardian. An exception to the rule – known as the “school official” exception – allows disclosure
without consent to contractors or other outside parties (known as third party providers or TPPs) if that TPP meets
certain requirements.
For example, the TPP must: (1) perform an institutional service or function for which the educational institution would
otherwise use employees; (2) be under the direct control of the educational institution with respect to the use and
maintenance of education records; (3) not disclose the information to any other party without the prior consent of
the parents or eligible student; and (4) may only use the information for the purposes for which the disclosure was
made.
A GAMA White Paper produced by Brandon Wiebe & Noah Johnson © 2014. Gagnier Margossian LLP. All rights reserved.

2. Some important questions to ask when selecting a cloud service provider:
•
Will parents be able to review and potentially delete portions of a student’s education data record if they so
request?
•
What are the cloud service provider’s data retention and deletion policies?
•
Does the cloud service provider disclose information to third parties?
•
Does the cloud service provider plan to release any anonymized data to third parties?
•
How will the cloud service provider implement data security protections for the education data records?
What
About
COPPA?
The Children’s Online Privacy Protection Act (COPPA) restricts the online collection of personally identifiable
information of any child aged 12 or younger without parental consent. Websites that aim their services towards
children must adopt some mechanism of obtaining parental consent before they begin data collection and must
permit parents to access and delete data records regarding their children.
COPPA generally does not effect educational institutions directly, as very few build and maintain their own websites
or mobile applications. As the line between big data and education further blurs, schools should be aware of COPPA
and its implications. It is quite possible that schools themselves may be drawn to develop their own proprietary data
technologies – a move that would directly implicate COPPA.
Compliance in California: Even More Legal Risks
California has led the way in passing a variety of data privacy laws, including state-specific additions to the FERPA
requirements, as well as robust regulations governing the collection of data online. Any educational institutions
located in California must also be aware of these regulations before drafting and implementing a student data
privacy policy.
The California Attorney General’s Office maintains a website summarizing the major aspects of these privacy laws:
http://oag.ca.gov/privacy/privacy-laws.
Conclusion
The regulatory landscape regarding data privacy can be overwhelming for institutions handling sensitive student
information. As districts continue to embrace new data-driven technologies, they must develop plans to assess and
maintain compliance with both federal and state rules. A data privacy attorney can help a school district makes sense
of the requirements imposed by the web of data laws, allowing districts to mitigate legal risks while reaping the
rewards of exciting new technologies.
For
more
informa-on
on
how
your
school
district
can
manage
data
privacy,
contact
an
aIorney
at
Gagnier
Margossian
LLP.

3. References
Jim Finkle and Mark Hosenball, Exclusive: More Well-Known U.S. Retailers Victims of Cyber Attacks, REUTERS (January 12,
2014), available at http://www.reuters.com/article/2014/01/12/us-target-databreach-retailersidUSBREA0B01720140112.
Keith R. Krueger, Data Privacy: What School Leaders Should Know, ESCHOOLNEWS (January 6, 2014), available at
http://www.eschoolnews.com/2014/01/06/data-privacy-cosn-119/ (study citation omitted).
See generally 20 U.S.C. § 1232g; 34 C.F.R. 99.
See generally 15 U.S.C. §§ 6501–6506.
See, e.g., CAL. EDUC. CODE § 49069, et seq. (specifying a parent’s right to inspect, review and challenge the content of a
student’s records maintained at a school district); Id. § 49073 et seq. (specifying requirements for school districts
pertaining to student directory information and exceptions to parental consent requirements).
See, e.g., California Online Privacy Protection Act of 2003, CAL. BUS. & PROF. CODE §§ 22575-22579.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco