Important Privacy Developments

For years, student data privacy has been a hot topic in education. In 2014, the U.S. Department of Education issued guidance on the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) to help schools and districts understand how to protect student data. In 2015, the White House released a Student Privacy Bill of Rights to help ensure that student data is used only for educational purposes. And in 2016, the U.S. Department of Education released a new Privacy Technical Assistance Center (PTAC) to help schools and districts understand how to protect student data.

The way all of this has impacted Runestone Academy is that many school districts are now requiring that we sign a Data Privacy Agreement with them before they will allow their students to use Runestone Academy. In the beginning this was a giant pain because each district had their own agreement, usually thrust upon them by their state department of education. There was little chance to negotiate and many of the agreements contained clauses that were not acceptable to us. For example, some of the agreements required that we delete all student data at the end of the semester. This is not acceptable to us because we want to be able to provide students with a record of their work in the course. (We do automatically remove data after 2 years) Other agreements wanted us to certify that we were HIPPA compliant, but since we don’t collect any health information this was not something we could do. Most problematic was that many agreements had a clause that obliged us to reimburse the school district if we ever had a data breach. Although highly unlikely, the costs associated with recovering from a data breach could be very high and we could not afford to take on that risk. Thankfully after a long search, we were able to find a company that would provide us with reasonably priced insurance against a data breach and we are now comfortable signing these agreements.

In 2020 we signalled our strong support for student privacy by signing the Student Privacy Pledge. You can read the pledge here: I also bothered countless people with emails complaining that these data privacy agreements were killing open source projects like Runestone because we don’t have the resources or knowledge to negotiate these agreements. I am happy to say that things are getting WAY better.

Introducing the National Data Privacy Agreement (NDPA) which is a standard agreement that schools and vendors can use to protect student data. This agreement (fostered by the Student Data Privacy Consortium) was developed jointly by schools and vendors and creates a set of common expectations between schools and providers like Runestone. We have already signed agreements with several schools that use the NDPA. You can read more about it here: We are happy to sign this agreement with any school that requires it. Even better, if your school is a part of a consortium where another member has already signed the agreement, then all your school has to do is sign Exhibit E and send us a copy. These consortia are often run at the state level, but in some cases multiple states have banded together. The map below shows the states that have adopted the NPDA and have consortia in place. In addition most of the state consortia have a database of vendors so you can do a quick search to find out if Runestone Academy has already signed with that state. If we have, then all you need to do is sign Exhibit E and send it to us. If we have not, then you can send us the agreement and we will sign it.

Map of states with SDPC consortia

The development of the NDPA is such a positive step forward for student privacy and it is a huge reduction in the amount of work that I have to do to sign agreements with schools. I am very grateful to the Student Data Privacy Consortium for their work on this. If your school is not a part of a consortium, please encourage them to join one. It will make it much easier for them to sign agreements with vendors like us. If your school is developing their own agreement, please encourage them to use the NDPA rather than creating their own. It will save them a lot of time and effort and will make it easier for them to sign agreements with other vendors.


I have been enjoying using Github copilot with VSCode for both Python programming and writing blog posts. Copilot is based on OpenAI’s GPT-3 language model. In fact the first paragraph of this post was written by Copilot. I wrote the title and the first few words of the first sentence and it wrote the rest. I did have to edit it a bit, but it was a great starting point. It also had some good and not so good suggestions for other parts of this post, including making up urls to non existent pages. Its really great at taking some of the drudgery out of programming in that it can write a lot of the boring code very quickly leaving me more time to work on the hard stuff. I am looking forward to seeing how this technology develops.