Privacy & Compliance Glossary
A comprehensive guide to privacy terminology for schools, districts, and educational institutions.
Quick Navigation
Compliance Frameworks
FERPA (Family Educational Rights and Privacy Act)
US federal law protecting student education records. Applies to all schools receiving federal funding.
- Parents have right to access student records
- Schools need consent to release records (with exceptions)
- Students gain rights at age 18 or when entering higher education
COPPA (Children's Online Privacy Protection Act)
US federal law protecting children under 13. Requires:
- Verifiable parental consent before collecting PII
- Clear privacy policies
- Data minimization
- No conditioning participation on data collection
GDPR (General Data Protection Regulation)
EU regulation (2016/679) with extraterritorial reach. Maximum penalty: EUR 20M or 4% global revenue.
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimization
- Accuracy, storage limitation
- Integrity and confidentiality
SDPC (Student Data Privacy Consortium)
Organization providing standardized Data Privacy Agreements (DPAs) for K-12 schools. Pre-signed National DPA available for participating vendors.
Privacy Techniques
Anonymization
Irreversible transformation of data to prevent identification. Once anonymized, data is no longer considered personal data under GDPR.
Example: "John Smith, Grade 5" → "[REDACTED], Grade 5"
Pseudonymization
Reversible transformation where identifying data is replaced with artificial identifiers. Original data can be recovered with a key.
Example: "John Smith" → "Student_A7B9" (with mapping table stored securely)
Redaction
Complete removal of sensitive information from documents, typically replaced with black bars or "[REDACTED]" markers.
Masking
Partial hiding of data while preserving some characters for reference or validation.
Example: "john.smith@school.edu" → "j***.s****@s*****.edu"
Hashing
One-way cryptographic transformation that creates a fixed-length fingerprint. Cannot be reversed.
Example: "John Smith" → "a7b9c3d8e5f2..." (SHA-256)
Encryption (Reversible) - UNIQUE
Transformation using cryptographic keys that can be reversed by authorized parties. UNIQUE to Anonymize.Education among education privacy tools.
Example: "John Smith" → "ENC[x7f8g9h...]" (can be decrypted when needed)
Technical Terms
Zero-Knowledge Architecture
System design where the service provider mathematically cannot access user data. Data is encrypted before reaching servers; only users hold decryption keys.
Why it matters: Even if servers are breached, attackers get only encrypted data.
Deterministic Detection
PII detection using fixed rules (regex patterns) that produce consistent, reproducible results. Contrast with probabilistic AI detection.
Why it matters: Deterministic methods are auditable and produce identical results each run. Probabilistic AI methods may vary.
Hybrid Detection
Combining multiple detection methods:
- Regex patterns - Deterministic rules for structured data (SSN, credit cards)
- NLP models - spaCy/Stanza for named entity recognition
- Transformer models - XLM-RoBERTa for multilingual context
Advantage: More accurate than any single method alone.
AES-256-GCM
Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode. NIST-approved, considered unbreakable with current technology.
Argon2id
Password hashing algorithm designed to be resistant to both GPU attacks and side-channel attacks. Winner of the Password Hashing Competition.
Data Types (PII Categories)
Direct Identifiers
Information that directly identifies an individual:
- Full name, email address, phone number
- Social Security Number, Student ID number
Indirect Identifiers (Quasi-identifiers)
Information that can identify when combined:
- Date of birth, ZIP code, gender
- Grade level, class designation
Sensitive Personal Data
Special categories requiring extra protection:
- Health information (IEP/504 status)
- Biometric data, religious beliefs
- Racial/ethnic origin
Education Records (under FERPA)
- Grades and transcripts, class schedules
- Attendance records, disciplinary records
- IEP/504 plans, financial aid records
Integration Terms
LMS (Learning Management System)
Platform for managing educational content and student interactions. Examples: Canvas, Blackboard, Schoology, Google Classroom.
SIS (Student Information System)
Database system for managing student records. Examples: PowerSchool, Infinite Campus.
SSO (Single Sign-On)
Authentication method allowing one login for multiple applications. Common in K-12: Clever, ClassLink.
MCP (Model Context Protocol)
Protocol for integrating tools with AI assistants like Claude. Enables anonymization before data reaches AI models.
Compliance Documents
DPA (Data Processing Agreement)
Contract between data controller (school) and data processor (vendor) required by GDPR Article 28 and many US state laws.
HECVAT (Higher Education Community Vendor Assessment Toolkit)
Standardized security assessment questionnaire for higher education vendors.
FOIA (Freedom of Information Act)
US federal law requiring disclosure of government records. Many state equivalents apply to public schools.
Security Certifications
SOC 2 Type II
Service Organization Control report assessing security controls over time (typically 6-12 months). Type II demonstrates ongoing compliance vs. point-in-time Type I.
ISO 27001
International standard for information security management systems (ISMS). Requires annual surveillance audits, full recertification every 3 years.
WCAG 2.1 AA
Web Content Accessibility Guidelines level AA. Required for Section 508 compliance in US government and often required for education tools.
Last updated: February 2026