Karl Broder and John Hutchins of Troutman Sanders LLP give some background on FERPA and PPRA, and then reinforce some points made by Joel Reidenberg and his colleagues at Fordham CLIP:
For example, a recent study by the Center of Law and Information Policy at Fordham Law School regarding the growing trend in school districts’ reliance on cloud computing services identifies discrepancies that often exist between a school district’s legal obligations and their contracts with vendors. In the educational context, where technology services are often procured as a result of a public bidding process on behalf of multiple educational systems, contracts may lack terms that would assure that FERPA and PPRA protections are extended to data in vendor’s hands. To bring vendors’ contracts in line with the school districts’ own legal obligations, the Fordham study recommends that vendors’ contracts include provisions that merit consideration by any party procuring cloud services, including:
- Specification of the types of data transferred or collected
- Prohibition or limitation on re-disclosure of Personally Identifiable Information
- Prohibition or limitation on the sale or marketing of Personally Identifiable Information without express consent
- Assurance that the procuring party [in this case, school districts] have exclusive control over data access and mining
- Prohibition on the imposition of new or conflicting privacy terms when end-users activate an account
- Allocation of responsibilities for granting end-user access and correction requests
- Specification of whether foreign storage and processing is permitted
- Specification of whether other government agencies may gain access without end-user consent
- Specification of data security measures and breach notification responsibilities
- Prohibition on unilateral modification
- Audit rights
These educational privacy laws point out, as we have many times before, the fact that the privacy regime in the United States is fractured and industry-specific. But protections can be negotiated in your vendor contracts, and the Fordham study provides some good examples of protections users should be looking for when negotiating with cloud vendors.
SOURCE: LexisNexis