Indiana Student Records and EdTech Vendor Governance Guide

Primary Focus
Indiana districts typically implement student data privacy through federal FERPA requirements and disciplined local governance for vendor oversight, disclosure control, and security.

Key References
FERPA (20 U.S.C. 1232g) and U.S. Department of Education FERPA guidance

Official Resources
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
https://www.in.gov/legislative/ic/code/

Overview

Indiana schools and districts protect student information primarily through FERPA and strong local governance practices. Because most classroom technology is vendor-hosted, districts benefit from maintaining consistent review workflows that control access to education records, limit disclosures to authorized educational purposes, and document vendor responsibilities for security and confidentiality.

This approach is practical even when state-specific student data privacy requirements are spread across multiple topics: districts can apply a repeatable process for approving tools, recording decisions, and revisiting risk as products evolve.

Applicability and Scope

Indiana privacy governance is most relevant when districts:

• Use learning platforms, assessment tools, tutoring apps, or communication tools that collect student identifiers or student work
• Share roster data or enable integrations between district systems and third-party services
• Provide vendors with access to education records or student information system data under a services relationship

Core District Practices (FERPA-Aligned)

District implementation commonly focuses on:

• Purpose limitation: ensure vendors use student data only to provide the school-authorized educational service
• Disclosure discipline: share the minimum necessary data fields and document why sharing is needed
• Access control: apply role-based permissions so staff and vendor administrators only see what they need
• Security and lifecycle: confirm safeguards, incident response expectations, and retention/deletion options

Vendor Review and Documentation

Indiana districts typically scale privacy governance by standardizing vendor review questions and keeping a central record of approvals.

Common questions include:

• What student data is collected, stored, or generated by the tool?
• Is the vendor prohibited from selling student data or using it for advertising or unrelated profiling?
• What security controls and breach notification commitments apply?
• How does the district request deletion or data return when the relationship ends?

How Can EdPrivacy Help Indiana Schools

When the baseline requirements come from federal law and district policy, Indiana districts still need consistent documentation and oversight across many tools. EdPrivacy helps centralize app inventory, vendor artifacts, and approval decisions so governance is easier to manage and easier to explain.

The platform helps districts:

• Maintain a living inventory of apps and services that touch student records
• Store vendor privacy policies, DPAs/contracts, and security documentation in one place
• Document approval conditions (data minimization, purpose-only use, retention and deletion expectations)
• Track vendor changes so reviews can be refreshed when risk changes

Summary

Indiana districts should be prepared to:

• Align vendor access and disclosures with FERPA expectations and district authorization
• Use repeatable vendor review and documentation workflows to scale oversight
• Verify security and data lifecycle controls for vendor-hosted tools
• Revisit approvals periodically as products and vendor terms change

A consistent, inventory-driven governance approach helps Indiana districts maintain strong student privacy protections across a changing edtech landscape.