Independent schools hold a significant amount of data. Information routinely collected by schools includes social security numbers, financial aid information, student medical information, and donor information. To ensure that they exercise due diligence to protect all this information, schools should consider understanding if and to what extent legal obligations apply and taking practical steps to protect this information.

Understand what legal obligations may apply

Educational files

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. It is important to note that the law only applies to schools that receive funds under an applicable US Department of Education program. In other words, unless an independent school receives federal financial assistance from a Department of Education program, independent schools are not covered by FERPA.

Health Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information. HIPAA rules apply to “covered entities,” which are limited to healthcare providers that electronically transmit health information as part of certain transactions; health plans, including employer-provided group health plans that provide or pay for medical care; and healthcare clearinghouses that convert healthcare information from a standard HIPAA format to a non-standard format, or vice versa. Most HIPAA rules also apply to “business associates,” which include contractors or suppliers of a covered entity who use or disclose individually identifiable health information in the course of providing services to the covered entity.

Especially, most independent schools are not considered covered entities. Maintaining records containing employee or student health information, such as documentation regarding an employee’s need for sick leave or a student’s immunization status, does not make an independent school an independent entity. covered. Offering health insurance or any other type of group health plan does not make an independent school a covered entity, as they are considered separate legal entities from the health plan itself. Nevertheless, health information is considered private information and should be treated confidentially.

Online Privacy

Even as schools now resume in-person learning, the technology used during the pandemic is hardly a thing of the past, and websites and online services remain a key part of any school’s curriculum. Generally, the Children’s Online Privacy Protection Act (COPPA) requires operators of websites or online services directed to children to obtain parental consent for use and permits schools to provide consent on behalf of parents when are used as educational programs. However, recently some of these operators have revised their sales contracts to require the school to obtain affirmative parental consent. To solve this problem, the enrollment contract must authorize the school, on behalf of the parents, to consent to the use of online services by the student. An ideal digital privacy policy for students should outline the types of online services available to students and provide a list of online platforms used by the school, along with the terms and conditions/privacy policies of those platforms.

Consumer Data Privacy Laws

Generally speaking, consumer data privacy laws govern permissions to share data collection and give individuals the right to control their data. While there is no single, comprehensive data privacy law in the United States, some states have enacted their own consumer data privacy laws, with others seeking to implement such laws. In addition, the European Union has a comprehensive data protection law – the General Data Protection Regulation (GDPR) – which protects data belonging to EU citizens and residents. Independent schools can be covered by the GDPR, depending on the extent to which they “offer goods and services” to EU citizens and residents (i.e. solicit students who live in the EU).

Independent schools would do well to ensure that they understand whether their operations are governed by these laws and, if so, what policies and procedures they will need to implement.

Practical advice

In addition to understanding what legal obligations may apply, schools can consider doing the following to ensure they are protecting student privacy and data:

Perform a privacy assessment

A privacy assessment can be used to determine what types of data the school keeps, where it is stored, and where there may be risks that this data could be breached or misused. Importantly, the assessment can also be used to identify areas where data privacy and security can be improved.

Implement (and periodically review) privacy policies

Schools may want to implement privacy policies that explain how school community data is collected and used, as well as how schools will respond to a privacy or data breach.

Organize a training

Conduct periodic training, not only on the school’s own privacy policies, but also on general best practices to ensure that sensitive and/or confidential school information, including student and employees, are protected. For example, make sure teachers understand how to identify suspicious emails and students understand the importance of protecting any passwords they have for educational apps.