A Beginner’s Guide to Data Privacy Laws and Compliance in the Education Industry

[Cloud Compliance, Advanced, 9 minute read]

The global shift towards digitized learning, accelerated by the Covid-19 outbreak, is having a huge impact on the education system—from personalized learning experiences and improved engagement to reduced costs and more regularly updated content.

Cloud adoption has seen the widespread use of technologies such as file-sharing applications and collaboration tools to aid learning. And academic institutions are collecting increasing amounts of data to enhance the learning experience and better serve their students.

But at the same time, new data protection laws have been coming into force across the world to bolster the privacy rights of individuals in today’s data-driven landscape. As a result, schools, colleges, universities and e-learning providers must now comply with much stricter data privacy requirements.

In this post, we examine some of the implications of data protection legislation on the education sector. But first we explain what exactly compliance is and run through three of the most important laws affecting the industry.

What Is Data Privacy Compliance?

Many struggle to understand what compliance actually means, often confusing it with closely related concepts such as data privacy, data protection and cybersecurity.

So, to clear up any misunderstanding, let's briefly clarify the most important terms:

  • Data Privacy: Your legal obligation to protect the privacy of individuals through proper handling of personal data. In other words, how you may collect, store, share and allow access to personal data in accordance with the law.
  • Cybersecurity: The safeguards you put in place, such as encryption and firewalls, to prevent unauthorized access to computer systems and data.
  • Data Protection: The technical measures you need to take to protect data from compromise, corruption or loss, covering not only cybersecurity but also backup and business continuity strategies.
  • Compliance: Ensuring conformance with data privacy law by meeting specified requirements for technology and organizational procedures and practices.

Key Data Privacy Laws

More than 80 countries across the globe have now adopted comprehensive national, provincial or industry-specific data privacy and protection regulation. The following are the most significant to the education sector:

Family Educational Rights and Privacy Act (FERPA)

The FERPA is a long-standing US privacy law that applies to educational institutions that receive federal funds. In essence, it grants parents access to their children's educational records and a degree of control when it comes to how that information can be disclosed.

However, these rights generally transfer to the child once they turn 18, where neither the school nor any individual members of staff may disclose their information without their consent.

FERPA regulations broadly cover sensitive personal information, such as details about grades or behavior. However, it also applies to other types of personally identifiable information (PII), such as names, addresses and telephone numbers. This may be disclosed provided parents or students are notified and given sufficient time to object to the disclosure.

General Data Protection Regulation (GDPR)

The GDPR came into force in 2018 with the aim of harmonizing the large number of individual national data protection laws into a single set of rules to regulate data privacy in Europe.

The legislation strengthened the privacy rights of Europeans by giving them more control over their data through greater transparency, stricter conditions governing the collection of personal data, and the right of individuals to have their personal data erased.

Although the GDPR is EU legislation, it's had a huge impact on data privacy practices throughout the world as it protects personal data about European Economic Area (EEA) citizens—no matter where the company that processes and stores that data is located. That means the GDPR applies to US universities, which often have a sizable intake of international students. It also affects e-learning providers and other educational establishments that offer services to European students.

California Consumer Privacy Act (CCPA)

The CCPA is designed to protect the privacy of California citizens and is largely seen as the blueprint for data privacy laws in the US. It shares many common features with the GDPR; however, it focuses more on the sale of personal data, requiring consent to do so for any California resident under the age of 17, which makes it particularly relevant to certain education institutions. Furthermore, Californians of all ages have the right to know if you sell their personal information and opt out if they wish.

As with the GDPR, the scope of the law is global, as it applies to any commercial concern that does business in California. The CCPA will only generally affect e-learning providers, as it doesn't apply to organizations with not-for-profit status. However, educational institutions shouldn't automatically assume they're exempt, as they may use a third-party processor that is fully subject to the law.

Principal Features of Privacy Legislation

Data Collection

Under the GDPR, schools, colleges, and universities may collect and process personal information on the grounds they're performing a task in the public interest. However, they must seek explicit consent to use personal data for anything that doesn't come within their normal duties as a learning provider. This must be from a parent if the child is under the age of 16—although member states have the freedom to set their own age of consent, subject to a lower limit of 13.

By contrast, under the CCPA, you don't need any prior consent for simply collecting and processing personal data unless you intend to sell it. It also doesn't impose any formal restrictions on the amount of data you can hold about a person—whereas the GDPR only allows you to collect what you actually need to perform your normal role or for the purpose for which you were granted consent.

Privacy and Consent Notices

Transparent data collection is a core compliance requirement for all education providers. But e-learning vendors will need to pay careful attention to signup forms, online checkouts and the wording of privacy policies.

Privacy notices, in particular, should be easy to find, clearly presented and in language that students of different ages and literacy levels can easily understand. They should explain exactly what you do with student data, outlining:

  • who you are
  • what information you collect
  • why you collect it
  • the data subject's rights

Data Security

To comply with the requirements of virtually any data protection law, you'll need to implement appropriate technical and organizational practices to safeguard the privacy of individuals.

In an educational environment, in particular, students can inadvertently spread malware via email, flash drives and social media. Busy teachers and lecturers, confronted with a mountain of emails and term-time work pressures, can easily get caught off guard by harmful attachments and links to malicious websites.

So security awareness training will be key to meeting these legislative requirements.

More specific security measures will be dependent on the exact shape of your organization and the work that you do. Typically, these measures may include:

  • Keeping all software and workstations up to date with the latest software updates and patches
  • Enforcing a strong password policy
  • Limiting access privilege to the bare minimum users need to do their work
  • Allowing only supervised access to classroom hardware

What's more, if you outsource your IT then make sure you use an accredited partner, which you can rely upon to manage your resources in a secure and compliant manner.

Providers of cloud-based learning software also need to fully understand how they share responsibilities for security with their cloud vendor, implementing robust measures for those that are still under their control.

And, finally, educational institutions may not necessarily store personal data about students in a single centralized location. For example, in a university setting, the accommodation office may use a completely different computer system from the careers service or individual faculties. Moreover, teaching staff may be storing personal data in forms, such as email or Google Drive documents, which lie outside of the direct control of the IT department.

This calls for tools that provide complete visibility into all this data, so IT teams can ensure it's sufficiently secure to meet compliance requirements.

Data Transfers

The GDPR places tight restrictions on transferring personal data internationally. This has compliance implications for cloud-based learning software, which may store data in a different country from that of the end user.

In general, the only cases where a European student's personal details can lawfully be transferred out of the EEA to another country is with legal frameworks in place that assure that there will be adequate protection of personal data.

But if you're an e-learning provider you may find that, based on your existing cloud network, you cannot lawfully serve users in certain countries. So it's essential you validate the nationality of an institution or individual learner before they sign up to use your software.

Alternatively, you may prefer to review your mix of data center locations and develop a cloud region strategy that legally accommodates users across your entire customer base.

By contrast, the CCPA doesn't restrict international data transfers—although other data protection laws work on similar lines to the GDPR.

Right of Access

As well as the FERPA, both the GDPR and CCPA give individuals rights to access any data that a company has stored about them.

Each law specifies different requirements for the content of your response, but this would typically include:

  • a copy of the personal data you process
  • the reason for processing it
  • details of any third parties involved in processing the data, including any safeguards to protect it
  • the source of the data, where not collected directly from the individual

You must respond to such a request without undue delay and within a strict legal timeframe. This is normally within 1 month under the GDPR and 45 days under both the FERPA and CCPA.

Staying In Line with Data Privacy Principles

With so many requirements, defining protective data privacy principles that can help control where that data is collected, managed, and protected is important for every industry, including education. Privacy laws are making it possible for citizens to have their personal data deleted. However, this may conflict with the data retention requirements of other federal laws affecting the education sector. A careful level of control is necessary here.

To do that, look to tooling that can give you a complete overview of all your data—in order to accurately provide all information you store about an individual and generate responses to requests quickly and efficiently.

With the amount of data that education institutions collect, and the varying data privacy laws that may affect that data, it helps to have a way to better understand how you store that data and how you can respond to request to report or delete it. That’s where NetApp Cloud Compliance can help.

Cloud Compliance is an AI-driven data mapping technology that works with ONTAP systems, Amazon S3 buckets, numerous databases, Cloud Volumes ONTAP, and Azure NetApp Files. By intelligently parsing the context in which that data exists, Cloud Compliance can identify relevant data and automatically report on it. This lets you quickly respond to access requests or deletion by students and parents, and comply with other reporting requirements in data privacy regulations like GDPR and CCPA.

New call-to-action

-