Protecting Student Privacy in the Data Age
In Kentucky, parents, educators and policy makers can track how many students from a high school go to college, and once they are there, how many require remedial classes. Massachusetts is one of several states with an early warning indicator system, which flags school officials when students appear to be at risk for dropping out of high school. And in Georgia, teachers can easily access years of test scores, class grades and attendance rates for any student.
Student data evangelizers argue that used correctly, data, including student attendance, test scores and demographics, can enrich education. Teachers can better personalize instruction for students, principals can view the academic records of students who move across school districts and parents can determine whether a child is on track for college, to name just a few examples.
But that promise comes with threats to students' privacy. Parents have expressed concerns that if teachers have easy access to students' entire academic histories, they might write off those with poor records, or that student information might fall into the hands of sexual predators. Those concerns have led to heated debates about how much data schools should be collecting, how it should be stored and who should have access to it.
Over the past year, the Common Core State Standards have also sparked discussions about student data, although the standards do not call for the federal government to collect data.
“There's no denying that education technology has the potential to transform learning if it's used wisely,” said Joni Lupovitz, vice president of policy at Common Sense Media, which this fall launched a campaign to raise awareness about student privacy issues. “What we're working to ensure is that as educators, parents and student embrace more and more education technology, (and) balance the equation by focusing on student privacy to help ensure that we're creating an atmosphere where kids can learn and be engaged but thrive without putting their personal information at risk.”
Relying on a 1970s Law
Until recently, most states weighing privacy questions relied on the federal Family Educational Rights and Privacy Act (FERPA), a 1974 law intended to protect student education records. But in recent years, the U.S. Department of Education has made regulatory changes to the law, creating many exceptions. For example, education records now may be shared with outside contractors, such as private companies that track grades or attendance on behalf of school systems. The changes have prompted some states to examine whether they should play a stronger role in protecting student data.
Paige Kowalski, director of state policy and advocacy for the Data Quality Campaign, a nonprofit that advocates for the effective use of data to improve student achievement, said states are starting to realize they need more sophisticated and comprehensive policies, regulations and practices around student privacy, and that they can't just rely on FERPA.
“All states have privacy laws on the books, but a lot of them are old,” Kowalski said. “A lot of them just don't have modern policies that were written acknowledging that data is even at the state level, let alone stored electronically and because of technology is able to move.”
Kowalski said states' privacy policies might refer to outdated information practices, such as checking out paper documents, while failing to discuss modern needs like encryption.
Most school districts rely on cloud computing — meaning data are stored on servers that can be accessed through the Internet — for everything from cafeteria payments to attendance records. But a recent study by the Center on Law and Information Policy at Fordham Law School concluded that most cloud-based services are “poorly understood, nontransparent and weakly governed” by schools. Most school districts fail to inform parents that they are using cloud-based services, and many contracts with web-based vendors fail to address privacy issues, the study found.
Keeping Parents in the Dark
The Electronic Privacy Information Center, a nonprofit research group in Washington, D.C., filed a lawsuit in February 2012 against the U.S. Department of Education challenging its FERPA changes, but a federal court dismissed the lawsuit for lack of standing.
Khaliah Barnes, the center's administrative law counsel, said many schools and states are doing a poor job of informing parents of the issues that can arise with technology. She said school districts should tell parents about the kinds of information they collect, to whom that information is disclosed and for what purposes. Parents should also have the right to opt out of disclosing certain types of information, she said, and should be informed how to access and change incorrect information.
Barnes said schools are using new technology to collect information that goes far beyond attendance records and test scores. Schools have used palm scanners to help students speed through cafeteria lines, and GPS or microchip technology to tell schools when students get on the right school buses or arrive at school, for example.
One state leading the conversation on student data privacy is Oklahoma, which in June adopted the Student Data Accessibility, Transparency and Accountability Act establishing rules for the collection and transfer of student data by the state.
“It was designed as a system of safeguards to protect student privacy,” said state Rep. David Brumbaugh, a Republican, who sponsored the legislation. “It stops the release of confidential data to organizations outside of Oklahoma without written consent of parents or guardians.”
The law prohibits the state from releasing any student-level data without state approval, which means the education department can release only data that is aggregated and cannot be tied to any individual student.
“To my knowledge, we're the only state that doesn't release student-level data,” said Kim Richey, general counsel for the Oklahoma Department of Education.
Brumbaugh said he's heard from lawmakers around the country interested in proposing similar legislation for their states. The conservative American Legislative Exchange Council has also proposed model legislation similar to the Oklahoma bill.
Other states also have taken action on student data privacy this year:
- In New York, where a handful of bills related to student data privacy have been introduced in the legislature, the Senate Education Committee held a series of public hearings this fall on topics including student privacy around a planned data collection system. Last week, state Sen. John Flanagan called for a one-year delay in the launch of the data collection system. The Long Island Republican urged lawmakers to strengthen protections for data on the statewide data portal and set civil and criminal penalties for violations.
- Georgia Gov. Nathan Deal, a Republican, signed an executive order in May prohibiting the state from collecting or sharing personally identifiable data on students and prohibiting student data from being collected for the development of commercial products or services.
- In October, the Alabama State Board of Education adopted a new policy on student data that allows the state to share student data with the federal government only in aggregate. The policy also calls on school districts to adopt their own policies on the collection and sharing of student data.
- Republican Gov. Terry Branstad of Iowa signed an executive order in October reaffirming that student data should be collected in accordance with state and federal privacy laws and that only aggregate student data would be provided to the federal government.