Is your cosmetology school’s online booking FERPA compliant?
FERPA is always at the top of the list when it comes to anything pursued by a proprietary school, and online booking is no different. In this post, we will discuss points of consideration to maintain FERPA compliance while using technology.
Although FERPA is not concerned with online services that are used on campus only (e.g., an online student information system used exclusively by teachers and staff for administrative purposes), there are a few caveats to consider when using online booking. Since the application is shared with the public and, therefore, implemented off campus, schools must be diligent with student consent to ensure compliance.
One great way to do this, is to ensure your student's names are not visible in your online booking application. Unlike salons, online booking at a cosmetology school, in an effort to maintain privacy, should never disclose student-stylist names. It is wise to use a student's ability rather than their name. For example, rather than list the name "Angie", try matching her floor time availability to the different services she can do for guests, such as cut, color, and perm. This will ensure your guests have the best availability for their service choice, as well as optimize the student's floor time (i.e., prevent overbooking).
Get written consent
Maintaining compliance with the use of written consent forms is typically what businesses use; however, with cloud technology, consent forms such as click wrap agreements can be a good secondary approach in addition to annual written consent forms, but should not be the only safeguard used when implementing online booking. Anytime a student's PII can be transferred or shared (in this case with the online booking between the customer and school), consent must be obtained from every student about the potential disclosure of information.
FERPA Requirements if PII is Disclosed to a Provider
Subject to exceptions, the general rule under FERPA is that a school cannot disclose PII from education records to a provider unless the school has first obtained written consent. Accordingly, schools and districts must either obtain consent, or ensure that the arrangement with the provider meets one of FERPA’s exceptions to the written consent requirement.
Directory Information Exception
“Directory information” is information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed (see 34 CFR § 99.3 definition of “directory information”). Typical examples of directory information include student name and address. To disclose student information under this exception, individual school districts must establish the specific elements or categories of directory
information that they intend to disclose and publish those elements or categories in a public notice which must occur annually.
Make sure your students don't "opt out"
While the directory information exception can seem to be an easy way to share PII from education records with providers, this approach may be insufficient for several reasons. First, only information specifically identified as directory information in the school’s or district’s public notice may be disclosed under this exception. Furthermore, parents (and eligible students) generally have the right to “opt out” of disclosures under this exception, thereby precluding the sharing of information about those students with providers. Given the number of parents (and eligible students) who elect to opt out of directory information, schools and districts may not find this exception feasible for disclosing PII from education records to providers to create student accounts or profiles.
De-identified student data is not necessarily FERPA protected under the “directory information” exception.
It is important to remember, however, that student information that has been properly de-identified or that is shared under the “directory information” exception, is not protected by FERPA, and thus is not subject to FERPA’s use and re-disclosure limitations. Due to the potential gray area created by de-identifying PII, it is good practice to obtain written consent from students that explains, in simple terms, "Because your information/ name will not be disclosed to the public, such information is not protected by FERPA, and we are not held liable for any disclosure of information by third parties".
De-identification refers to the process of removing or obscuring any personally identifiable information from student records in a way that minimizes the risk of unintended disclosure of the identity of individuals and information about them. Specific steps and methods used to de-identify information may vary depending on the circumstances, but should be appropriate to protect the confidentiality of the individuals. While it may not be possible to remove the disclosure risk completely, de-identification is considered successful when there is no reasonable basis to believe that the remaining information in the records can be used to identify an individual (as in the case of removing student names from online booking).