Most guidance is aimed at those who teach or advise students but there are some important FERPA-related considerations for researchers and administrators, particularly as related to the selection and use of educational tools and platforms.
Considerations for the use of a third-party platform or software
By using the software, platform, or system is the institution maintaining educational records?
Institution includes any school official acting on behalf of the institution, including faculty, instructors, administrators, staff that have a legitimate educational interest in accessing education records, and third parties that maintain education records for/on behalf of the institution, if requirements of 34 CFR 99.31 are met.
Requiring, recommending or using a system, platform or software in class in such a manner that identifiable student data will be accessed that system, platform or software in general would constitute maintaining education records by or on behalf of the institution.
Education records are records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution. These records include but are not limited to grades, transcripts, class lists, student course schedules, health records (at the K-12 level), student financial information (at the postsecondary level), and student discipline files. The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail. (US Department of Education).
Does the third-party software or platform provider agree to sufficient data protection measures, e.g., a Data Protection Agreement (DPA) that meet the requirements of the Family Educational Rights and Privacy Act, as determined by the UW Privacy Office?
When a student shares their data/demographics in a third-party software such as Teams, that record is not subject to FERPA, since students are not the institution. ...if the institution uses that same software. We would need to have a data processing agreement in place with the vendor to insure the FERPA compliancy of the education records stored in the third-party software.
Examples
| FERPA is not applicable... | However, FERPA is applicable... |
|---|---|
| When a student shares their data/demographics in a third-party service or platform, that record is not subject to FERPA, since students are not the institution. |
...if the institution school official uses that same service or platform to access data or via a flowback of data. (The data is being maintained by a third party on behalf of the UW.) …if the student pulls the data out and provides it to the institution school official outside of the service or platform. (The data is being maintained by the institution.) We would need a data processing agreement in place with the vendor to insure the FERPA compliancy of the education records stored in the third-party software. |
| When a student uses a third-party software or platform with which the University does not have a data processing agreement in place, such as Reddit or Facebook, FERPA does not apply since students are not the institution. |
… if a UW school official, such as a faculty member or instructor, is using what the student has entered in that third party software as part of the assessment process for the course or research that is then maintained by the institution (by paper, online, or in any medium), that record becomes an education record subject to FERPA. We should have a data processing agreement in place with the vendor. |
Learn more
Data Processing Agreements
Before launching any UW activity that involves sharing personal data with an external (non-UW) organization or contractor — from business processes to systems to surveys — your first step is to create a data processing agreement (DPA). A DPA outlines how you plan to use personal data and is especially important for clarifying the purpose and use of data as well as roles and responsibilities with an external organization or contractor.
Recruitment marketplaces
Recruitment marketplaces are platforms that help connect researchers to qualified participants who can complete tasks or surveys, and provide easy mechanisms for rewarding this work via financial incentives. Because the core business activity of such platforms involves the storing and exchange of personal contact information (personal data processing), it can be difficult to get a signed Data Processing Agreement in place. UW's DPA requires that personal data may only be used to fulfill the specific purpose of the service for which they are contracted (i.e., UW user research). Thus, CoE policies on the use of such marketplaces require additional measures on the part of researchers to help mitigate the risks and ensure UW's adherence to applicable rules and regulations.