How to Make Your Crowdbotics App FERPA-Compliant

The amount of student data collected and stored by modern applications is enormous. If your business operates in the education industry and has embraced the digitization of records, there is a high chance that a mobile application is involved that collects and stores a student's data.

A student's data may contain an education record that consists of information related to report cards, grades, GPA, transcripts, medical records, disciplinary records, family contact information, class schedules, attendance records, psychological evaluation, and so on.

The Family Education Rights and Privacy and Act (FERPA) is a federal privacy law that gives parents or guardians confidentiality protection over their children's education record, including reviewing the record or requesting changes in special circumstances. It applies to all educational institutes that accept public funds.

For educational applications, this law is applicable. The parents of a child should have a way to grant their consent upon any request in writing. In this post, let's take a look at the basic fundamentals of FERPA, specifically how to determine whether your app needs to be FERPA-compliant or not and how to make a mobile app FERPA-compliant.

How to determine if your app needs to be FERPA-compliant

FERPA is a federal law enforced by the U.S. Department of Education (DOE). Any educational institute, such as a school, is responsible for the compliance of its vendors and service providers. This law prohibits a school from disclosing personally identifiable information (PII) from a student's education record to a third party without consent from the parent or the guardian of that student. PII may include a student's social security number, their student identity card number, their mother's maiden name, or other such information.

A school will usually share data with a third-party provider under the "School Official" exception to FERPA. Under this exception, any school is allowed to share PII from the education record of a student's data without the consent of a parent as long as that third-party provider:

  • provides a service or a function for which the school may otherwise use its own employee. This can be considered that the third-party provider in this particular scenario acts as an outsourced service provider.
  • is under the direct control of the school with regard to the collection and usage of information.
  • uses the information only for an authorized purpose

Another aspect of the law allows that an educational institution may disclose the information from a student's record that is generally not considered harmful or an invasion of privacy. This is defined as Directory Information. It includes:

  • a student's name, telephone listing, email address, dates of attendance, date or place of birth
  • a student's participation details in any officially organized activity or a sporting event
  • the weight and height of members of any athletic team during the time at an educational institute
  • any degree, honor or award received by the student
  • the most recent school attended

An educational institute is free to share information that is related to any of the above points without consent with third-party services. However, for any of the above information, a parent or the guardian of a child does have a right to opt-out and protect their child's records that fall under directory information.

How to determine if your app is FERPA-compliant

FERPA contains clear and precise requirements with which your app must comply. To meet these requirements, here are the steps you can take to ensure compliance:

  • Make sure to request only personal information that is required for a specified task or activity.
  • Make sure not to collect and use any personal information for a purpose other than those disclosed in a contract with the educational institute.
  • Make sure not to disclose any information to a third-party provider or a vendor without the consent of the educational institute or the guardian.
  • Take proper measures to protect and ensure the security of any digitalized data that contains a student's records shared by an education institute.
  • Maintain the transparency of how PII or Directory Information is consumed or used within the app.
  • Make sure to have a notify policy in case of any breach of information.
  • Allow the educational institute or the guardian to communicate or request to destroy any personal information of a student, especially at the end of the contracted term.
  • There should be a clear way for the educational institute or the parent to exercise their right to review a record.
  • There should be a clear way for the educational institute or the parent to exercise their right to correct information on a record.

try our app estimate calculator CTA image

How to implement FERPA compliance using the Crowdbotics App Builder

The initial step you can take as an app developer when building a FERPA-compliant mobile app is to implement a privacy policy section where the information on storing or using data can be explained. In case of using any third-party service providers, you could mention what measures have you taken to protect any sensitive information that may fall under FERPA compliance.

In this section let's go through how you can include a privacy policy section in a mobile app such that it is accessible and visible by adding a module in a mobile app with Crowdbotics App Builder.

Before we proceed, please make sure to have an account registered with the Crowdbotics App Builder and have access to the dashboard and other screens such as Storyboard. If necessary, brush up on how to Scaffold a new Custom Mobile App with Crowdbotics and create a new demo app with the App Builder.

Once the scaffolding process is done, you are going to be welcomed by the Storyboard screen. This editing tool provides a logical flow to maintain a collection of your app's screens.

The first module we are going to cover is called Settings. It's a common practice to include Privacy policies under the app screen that is responsible for handling app-related settings. The Crowdbotics App Builder provides a built-in Settings module that you can drag-and-drop directly into your app to add such an app screen with functionality.

This screen module is now added to your RAD stack app.

On a mobile device, the screen module to display the Privacy Policy section is shown below:

To make modifications or add your own Privacy Policy URL in the mobile app, you will need to do a small amount of manual coding. Click on the button that says View Code to access your source code from within the Settings page in the Crowdbotics App Builder.

The browser will redirect you to the GitHub repo of the RAD stack app. From there you can either clone the repo or download the zip file and open the source code in the code editor or IDE.

In the file src/features/Settings/screens/settings.js you can view the following code and make further modifications as per your requirements, whether you intend to include a new app screen, add a modal screen to display the Privacy Policy, or redirect the app's user to a web page.

<View style={this.props.themedStyle.row}>
  <TouchableOpacity
    style={this.props.themedStyle.rowButton}
    onPress={this.gotoURL.bind(this, privacyUrl)}
  >
    <Text category='s1' style={this.props.themedStyle.text}>
      Privacy Policy
    </Text>
  </TouchableOpacity>
</View>

This method is an example of how you can build a mobile app and take the necessary steps such that the app complies with FERPA. Other FERPA considerations, such as getting the written consent of a parent or the guardian of a student to use or modify the data are organizational and technical priorities that fall outside the scope of the Crowdbotics App Builder.

Conclusion

Now you know how to build FERPA-compliant apps with the Crowdbotics App Builder, and, more generally, what the main requirements are to build a FERPA-compliant mobile app. FERPA compliance is made possible via Crowdbotics' full-code approach to build mobile apps, in which users have total control over the way their data is processed in their Crowdbotics app.

An app generated with the Crowdbotics App Builder tool comes with default permissions, specifically the ones we have discussed in the previous section. To build an app, Crowdbotics offers both the low-code Crowdbotics App Builder and managed app development by expert PMs and engineers.

For further reading on FERPA, check out this resource. To learn how to build mobile apps with Crowdbotics App Builder, please read our guide to building a custom mobile app with Crowdbotics.

Originally published:

November 9, 2020