FERPA and Morphic
Raising the Floor’s mission is focused on people who face barriers to the use of information and communication technologies (ICT) due to disability, literacy, digital literacy and aging. In 2020, Raising the Floor released Morphic, a computer software program that simplifies and makes computer use more accessible. Because of the nature of Morphic’s user-base, protecting the security and privacy of our users’ data is of highest concern and priority. This includes supporting compliance with the Family Educational Rights and Privacy Act (FERPA) for all of our student users in the K-12 and postsecondary education sectors (School Subscribers).
What is FERPA?
FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
What rights does FERPA grant to parents (or eligible students)?
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”
FERPA grants parents (or eligible students) rights including the following:
- The right to inspect and review the student’s education records maintained by the school.
- The right to request that a school correct records which they believe to be inaccurate or misleading.
- Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record, except for certain conditions when FERPA allows release without consent as detailed here.
- The right to file a complaint with the U.S. Department of Education concerning alleged failures by the school to comply with the requirements of FERPA.
What are “education records”?
FERPA defines education records as “records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3).
These records include, but are not limited to, transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records.
It is important to note that any of these records maintained by a third party acting on behalf of a school or district are also considered education records.
What is “personally identifiable information” under FERPA?
FERPA defines the term personally identifiable information (PII) to include direct identifiers (such as a student’s or other family member’s name) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name).
Indirect identifiers, metadata about students’ interaction with an app or service, and even aggregate information can be considered PII under FERPA if a reasonable person in the school community could identify individual students based on the indirect identifiers together with other reasonably available information, including other public information.
FERPA and Morphic
What are Raising the Floor’s responsibilities with regard to FERPA?
For the purposes of FERPA, Raising the Floor is considered a “school official”, a role it acquires since Raising the Floor with its Morphic program is performing a service that furthers a “legitimate educational interest” (i.e., facilitating the provision of educational services).
How does Morphic receive PII from education records?
Raising the Floor does not need or obtain any student PII in order to provide the basic MorphicBar functions. However, for those who sign up for a Morphic account in order to save and transfer their settings, or to use custom MorphicBars, Morphic may need and receive PII for students either from the students or from others at the school such as the students email address, PII associated with buttons on custom MorphicBars, or settings of assistive technology or computer software.
Any student PII that Morphic/Raising the Floor might obtain is limited to that required for operation and maintenance/improvement of the service and is not used for any purposes except as permitted by applicable law, including FERPA, and applicable agreements with schools and districts.
How does Morphic work (collaboratively with educational institutions) to comply with FERPA’s data protection requirements?
Morphic has technical, procedural, and organizational measures built into its operations to help protect PII from unauthorized access, use, or disclosure including:
- Personal information collection and storage is limited to the minimum necessary to provide and improve our services or as otherwise directed by the educational institution.
- All data privacy policies and practices are reviewed by an international panel of privacy experts, and Raising the Floor has a dedicated software-specific privacy policy.
- Registered users of Morphic or their authorized representatives (including parents of minor students) can request access to, or delete, their personal information at any time.
- Personal information is encrypted in transit and at rest in permanent storage.
- Professional cloud services are used that have physical server security in place.
- Vulnerability scans and penetration tests are used to evaluate security posture and identify threats.
- Personal information is only disclosed to service providers that are necessary to help Raising the Floor provide its services, to comply with legal requirements, or as required by educational institutions in compliance with FERPA.
- Personal information is retained only as long as necessary to comply with legal obligations after account termination and to allow a 45 day “regret or mistake and I want to stay” period. However anyone can also request immediate erasure if desired.
- User PII stored on the Morphic Cloud is retained for the life of the account; however users can request closure of their account and deletion of their PII at any time.
- No PII collected by Raising the Floor through a Morphic account registration, customization or use, is shared with third parties for advertising or marketing purposes nor does Morphic show ads for third parties within its software.
How can parents (or eligible students) exercise their FERPA rights?
If a parent or eligible student would like to exercise any of their rights under FERPA with regard to Morphic they can do so by contacting us at Privacy@morphic.org.