If you are a parent of a student, or a student yourself, you may be aware of the vibrant discussions happening around student privacy, especially around new technologies being deployed in schools. Who owns this data? Who should be able to use it? In what ways are service providers able to use it?
As for who owns this data, we’d like to think the answer is clear: Students should own their data. In the context of cloud services, Kathleen Styles, chief privacy officer of the U.S. Department of Education, recently said, “The provider never ‘owns’ the data, and can only act at the direction of the school or district.”
But what’s less clear is how third parties who have access to that data – schools, service providers – can use it. Whenever the discussion about student privacy arises, the Family Educational and Privacy Rights Act (FERPA) is usually referenced. FERPA is a federal law that protects the privacy of personally identifiable information in “education records.” Styles suggests that in addition to a service provider being able to access and use FERPA-protected information to operate a specific cloud service, it would be permissible for the school to allow the service provider to “use FERPA-protected information to improve the products the school or district was using.” But using this information for “a product never intended for use by the school or district” is beyond what FERPA permits.
Microsoft News Center Staff