LeRoy Rooker, FERPA expert who was director of the DOE Family Policy Compliance Office for 21 years, warns districts that they’re responsible for what their vendors do with data. Whether a violation is accidental or intentional, schools will be at fault for any misuse of information. Careful screening of vendors to ensure they’re FERPA compliant is important. Districts should also ask how the vendor gives parents and students access to records and prevents unauthorized people from accessing those records. He cautions they should be particularly careful with free apps and websites. The services may appear free on the surface, but vendors’ business models typically entail data mining, which is not allowed under FERPA, warns Steven McDonald, a FERPA expert and general counsel at the Rhode Island School of Design. “It should be clear that [the data] belongs to the school, not to the vendor, and that the vendor’s responsibility is to process it for the benefit of the school and its students, and not for the vendor’s own benefit,” says McDonald.