0
(0)

Consensus is emerging over concepts and best practices that will enable schools to safeguard student privacy while continuing to use powerful, third-party computing for better education outcomes.

The education community operates in the “big data” world that promises big advantages, including individualized learning and the ability to track and document the needs, progress, and successes of individuals and groups. Most schools and districts rely on outside parties to process and store the data due to the prohibitive costs involved in developing their own platforms. Similarly, in health care, banking, consumer transactions and many public services, we hand over vast amounts of our personal information to online service providers for the convenience, speed, and even security they offer.

But seemingly frequent and certainly publicized data breaches and the federal government’s own online surveillance apparatus have given rise to increasing concerns over privacy. These days we want our information stored and processed for our own purposes; we do not want vendors to push ads to us without our permission nor to pass along our personal data to others.

For years, privacy advocates have articulated anxieties felt by the public and pushed back against intrusions on data privacy. Following Edward Snowden’s revelations regarding the scope of NSA surveillance practices in May 2013, privacy concerns played out in national media, and certain sectors of the public seemed more receptive to them. Policy discussions among education, privacy, government, and vendor groups at the national level became more urgent and frequent. From these discussions, bright-line rules began to emerge — new norms of student data privacy on which nearly all interested groups could agree.

Educators who know the key issues regarding student data privacy in education will be more able to be part of the conversation.

At the same time, legislation was introduced in most states addressing student data privacy. By May 2014, after the collapse of education data platform inBloom, nearly 100 bills addressing student data privacy were pending in state legislatures, and that number continues to grow.

To a large extent, the state-level bills attempt to codify some of the bright-line rules filtering out of the policy discussions at the national level, although there is disagreement about whether and how those rules should be reflected in law. As a general matter, the evolving law seeks to protect student privacy by giving parents more rights in the form of consent or notice regarding disclosure and/or use of their children’s data, and to rein in practices — real or perceived — of vendors seeking to use student data for purposes unrelated to learning. Future legal frameworks are likely to impose more requirements on schools and vendors.

Student records became student data

Before 2000, student data was still kept largely in paper records stored in file cabinets. Then No Child Left Behind introduced widespread accountability requirements, prompting the federal government to begin awarding grants for the creation of statewide longitudinal data systems. The explosion began. Companies developed a flurry of applications allowing schools to store and process information in a variety of ways, many allowing data to be stored on remote servers.

Emerging concepts

In Washington and across the country, organizations representing educational, privacy, vendor, and data interests have been holding symposia, summits, conferences, and white paper-review panels. These conversations have centered on simple yet stubborn questions: How do we as an education community protect student and family privacy while still using the extraordinary potential of student data to facilitate learning and operate a school district? Is parent consent the answer? Or will transparency in school district data practices provide sufficient notice and protections to families? Does the current legal framework sufficiently address the needs of schools, families, and communities? If not, how should it be changed? Should the onus of student data privacy protection rest on the school system? Or should vendors carry that burden?

In these conversations, some key concepts are emerging that are generally accepted among national education, privacy, industry, and public interest groups as privacy norms. The devil is always in the details, of course. Although many agree with the concepts, school officials will need to tell policy makers how these ideas should be reflected in state policy.

Concept #1: Absent sufficient notice or consent, student data should be used only for educational purposes.

Educators, parents, the public, and even vendors seem to agree that data stored or processed by vendors in their work for schools should not be used to develop profiles for individual students for marketing or other commercial purposes. Some would go further to say that the data should not be used to direct any advertising to students or their families, without consent.

Concept #2: Parents and students should have access to their education records and the chance to request corrections.

Parents and eligible students (over 17 or attending a postsecondary school) may have access and seek amendment to their information contained in education records under the Family Educational Rights and Privacy Act (FERPA). Many believe these rights should extend to student information stored or processed by vendors on schools’ behalf.

Seemingly frequent and certainly publicized data breaches and the federal government’s own online surveillance apparatus have given rise to increasing concerns over privacy.

Concept #3: Schools should be as transparent as possible about what student data is collected, how it is used and stored, and by whom.

In a frequently cited report, the Center on Law and Information Policy at Fordham University’s School of Law found that U.S. public schools are rapidly adopting cloud-based services and transferring large amounts of student information to third-party providers while falling short on data privacy protections. Only 25% of the school districts in the study informed parents of the cloud services used by the district. The center recommends that schools disclose on their web site what types of student data are transferred to third-party vendors and list who they are (Reidenberg et al., 2013). The U.S. Department of Education recommends “that schools and districts communicate what student information they collect, why they collect it, how they use it, and to whom they disclose it” (U.S. Department of Education, 2014).

The evolving law

The U.S. Constitution enshrined a right to privacy against government intrusion nearly from its inception, with the Fourth Amendment’s guarantee that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause . . .”

In 1890, shortly after the introduction of portable cameras, Samuel Warren and Louis Brandeis wrote in the Harvard Law Review that “recent inventions” pointed to the need “for securing to the individual . . . the right ‘to be let alone’ . . . ” (Warren & Brandeis, 1890). In 1967, the U.S. Supreme Court carried this idea of a “right” to privacy into the modern technological era. It ruled in Katz v. United States (1967) that the FBI had conducted an illegal search by eavesdropping on a telephone conversation via a recording device placed outside a telephone booth. The Fourth Amendment, the court found, protects our reasonable expectations of privacy.

Since Katz, courts have regularly discussed the boundaries of a citizen’s reasonable expectation of privacy vis a vis the government. In June 2014, the Supreme Court recognized the “immense storage capacity” of the “minicomputer” that is a modern cell phone. In Riley v. California, the Court said the rule that allowed police to search an arrestee  for evidence of a crime or weapon means something different now. Because a cell phone stores many types of information about a person that when used together can reveal much about him or her (personal interest apps, addresses, notes, videos, bank statements), because the data stored or accessible on a cell phone conveys far more than in the past (thousands of photographs labeled with dates and locations), and because the data on a phone can date back to the purchase of the phone or further, we are essentially carrying around our houses and papers. In fact, the court noted that cell phones contain more sensitive data than previously has been found in a home, spurring pundits to identify a new concept in legal standards — data is different (Rotenberg & Butler, 2014).

While the Supreme Court has issued key rulings on the implied right to privacy, it has not weighed in on student data privacy specifically. The current legal framework that applies to student data held by schools and vendors acting on their behalf exists primarily in three federal statutes: The Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA) and the Children’s Online Privacy Protection Act (COPPA), which applies to vendors, not schools. States have their own regulatory frameworks for student records and data, which must be considered in conjunction with the federal framework. State legislatures were quite active in 2014 considering bills that would enact some of the new norms discussed above into state law.

FERPA

FERPA and the implementing regulations issued by the U.S. Department of Education provide the overarching regulatory scheme for student records held by public schools. Passed in 1974 in the wake of Katz, FERPA prohibits educational institutions from denying a parent or eligible student access to education records and from disclosing education records or personally identifiable information (PII) contained in them except in specific circumstances. PII includes the name and address of the student or his family, as well as other identifying information such as a Social Security number and information that is linked or linkable to a student.

We could fill pages with a discussion of whether and to what degree student data used by schools for scores of purposes — academic tracking and tailoring, school administration, studies, state and federal reporting — technically amounts to education records or PII contained in them and is subject to FERPA. The most conservative view is to assume all data in use by schools constitutes personal information protected by FERPA.

FERPA and its regulations set out numerous exceptions to the general prohibition on release of education records or PII without parental consent. Two key exceptions are for a “school official” and “directory information.” A school official includes teachers and other school staff, as well as contractors to whom the school has outsourced a service or function. A school official could be, for example, a vendor providing a service such as online grade-tracking. A school district disclosing PII under this exception must use reasonable methods to ensure that the contractor only accesses records in which it has a legitimate educational interest, remains under the direct control of the district, uses the student record information for only the originally intended purpose, and refrains from disclosing it to other parties without authorization. The district must inform parents and students in its annual notification who it considers a “school official.” The school district remains responsible for the privacy and security of education records under FERPA, even if it contracts with a vendor to provide a specific service.

The other FERPA exception key to this discussion — directory information — includes basic information often listed in a directory: name, address, telephone number, extracurricular participation, grade level, etc. Schools may release a student’s directory information without consent, provided it gives public notice of the types of information it considers directory information, and gives parents and eligible students the right to opt out of release.

PPRA

A close cousin to FERPA is the PPRA, which is best known for requiring schools to make certain instructional materials available for inspection by parents and requiring them to obtain parental consent before conducting student surveys on certain topics. The statute also requires schools to consult with parents before devising policies on the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that data. PPRA contains a broad exception to this requirement where “educational products or services,” including district testing, are involved.

COPPA

COPPA, which is enforced by the Federal Trade Commission (FTC), regulates entities that operate online and collect, use, or disclose personal information from children, and also applies to those with actual knowledge that they are collecting, using, or disclosing personal information from children under age 13. The law requires that operators obtain parental consent before undertaking these activities. The FTC has stated clearly that a school may consent on behalf of parents under COPPA in certain circumstances, but school officials must understand fully the purpose for which any personal information about students is collected and how it is used or shared by the operator. As long as the data is being collected and used for the benefit of the school, the school may consent on behalf of parents. The operator must obtain actual and direct parental consent to collect, use, or share the data for “its own commercial purposes in addition to the provision of services to the school.”

How do we as an education community protect student and family privacy while still using the extraordinary potential of student data to facilitate learning and to run the operations of a school district?

State laws

According to the Data Quality Campaign, state legislatures considered over 100 bills addressing student data privacy in 2014. The bills were a first go at codifying the concerns emerging from data privacy conversations. Of these bills, 28 were enacted into law (Data Quality Campaign, 2014).

The bills considered by state legislatures contained common themes:

  • Prohibiting collection of certain data;
  • Prohibiting school districts from sharing certain data with the state;
  • Requiring the appointment of a chief privacy officer at the state or local level;
  • Data governance;
  • Transparency of student data practices; and
  • Cloud storage or processing of data.

The bills enacted into law largely codified existing practices with respect to student data; some create new data governance bodies, and some require specific provisions in state or school district contracts with service providers (Data Quality Campaign, 2014).

Federal legislation

In July 2014, Sens. Ed Markey (D-Mass.) and Orrin Hatch (R-Utah) introduced a bipartisan bill entitled the Protecting Student Privacy Act. The bill would amend FERPA to:

  • Require schools to implement policies and procedures that protect students’ PII and require outside parties to which the school turns over student data (i.e., vendors) to have such policies;
  • Prohibit schools from knowingly providing access to PII to advertise or market a product or service;
  • Require states and schools to ensure that outside parties comply with specific requirements, including:
    • Parent access to PII and right-to-seek amendment;
    • Maintaining a record of all persons and organizations requesting or obtaining access to education records; and
    • Security practices;
  • Require schools to specifically list outside parties who have requested/obtained access to a student’s education records and what information is shared with the outside parties;
  • Require schools to follow data minimization principles that call for schools to meet requests for student information with non-PII when possible; and
  • Require schools to have a policy or practice requiring all PII held by an outside party to be destroyed when no longer needed for the specified purpose.

Conclusion

Although the stated purposes behind state and federal legislative initiatives tend to be consistent with the concepts generally shared by many involved in the data privacy conversation, the devil is always in the details. School officials know well that statutes as written and passed don’t always achieve their stated purpose in a way that makes sense operationally. Worse, they often produce unintended consequences. School districts are well-served by engaging their communities on student data privacy issues to share current practices, seek input on future initiatives, and to be part of state and national conversations as laws and policies take shape.

The good news is that if the norms discussed above are codified in law and policies, schools may eventually enjoy the cover of legal requirements to protect student data privacy in ways that parents and the public now increasingly expect. School officials may have more bargaining power as they try to negotiate privacy protections into contracts with vendors. If the Markey-Hatch bill is passed, for example, schools would have to require vendors to institute a number of data protection policies before districts designate them “school officials” and turn over student data. At some later date, we hope vendors may even be required to include similar protections in “click-through” terms of service agreements, which many of us now blindly accept in order to take advantage of online tools and applications.

References

Data Quality Campaign. (2014). State student data privacy legislation: What happened in 2014, and what is next? Washington, DC: Author. http://dataqualitycampaign.org/find-resources/state-data-privacy-legislation-2014

Katz v. U.S., 389 U.S. 347 (1967).

Protecting Student Privacy Act of 2014, S. 2390, 113th Cong. (2014).

Reidenberg, J., Russell, N., Cameron, K., Kovnot, J., Norton, T.B., Cloutier, R., & Alvarado, D. (2013). Privacy and cloud computing in public schools. New York, NY: Fordham Law School Center on Law and Information Policy. http://ir.lawnet.fordham.edu/clip/2

Riley v. California, 134 S.Ct. 2473 (2014).

Rotenberg, M. & Butler, A. (2014, June 26). Symposium: In Riley v. California, a unanimous Supreme Court sets out Fourth Amendment for digital age. SCOTUS blog. Washington, DC: U.S. Supreme Court. www.scotusblog.com/2014/06/symposium-in-riley-v-california-a-unanimous-supreme-court-sets-out-fourth-amendment-for-digital-age/

U.S. Department of Education. (2014). Transparency best practices for schools and districts. Washington, DC: Author. www.cde.state.co.us/cdereval/leatransparencybestpractice

Warren, S. & Brandeis, L. (1890). The right to privacy. Harvard Law Review, 4, 193, 195.

CITATION: Trainor, S. (2015). Student data privacy is cloudy today, clearer tomorrow. Phi Delta Kappan, 96 (6), 13-18.

ABOUT THE AUTHOR

default profile picture

Sonja Trainor

SONJA TRAINOR is director of the National School Boards Association Council of School Attorneys, Alexandria, Va.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.