Safeguarding Student Data in a Digital World

student data privacyWhen it comes to student data, striking the right balance between collection, analysis, privacy, and security can be complicated. A new policy brief released by the National Education Association (NEA) offers recommendations on how data can be used for good with policies and systems that prevent it from being used for ill.

Collecting student data isn’t new, and the goals are often lofty – data helps identify potential problems early and can allow educators to personalize learning and create more targeted instruction. But unfortunately the data can be used for less noble goals.

Some private companies collecting the data have shared, sold and mined it for profit. For example, in Arizona and Tennessee, health care provider chains inappropriately gained access to student information and used the information to market services to parents.

The main problem with the practice of collecting student data for monitoring and improving student performance, according to the report, is that statutory protection hasn’t kept pace with the technology.

Flaws in Federal Laws

The Family Educational Rights and Privacy Act (FERPA) limits the circumstances under which a school, district, or state education agency (SEA) may disclose personally identifiable information (PII), and requires schools to inform parents of their right to review and correct their children’s records. It also empowers parents to opt out of disclosure of information for purposes not specifically authorized by the law.

But FERPA does not require parental notification or consent for disclosure of educational records to contractors, consultants, and others over whom the educational institution exercises control.

Those conducting research, developing or evaluating assessments, or administering student aid programs may also be granted access, the report finds, provided PII is not disclosed to anyone beyond representatives of the organization, and such information is destroyed when no longer needed.

The Protection of Pupil Rights Amendment (PPRA) requires school districts to work with parents to develop policies regarding the collection, use, and disclosure of personal information, including the district’s privacy protection practices. PPRA also requires districts to allow parents to opt their children out of activities in which data will be collected, disclosed, or used for marketing purposes. But PPRA does not apply to information collected for the exclusive purpose of developing, evaluating, or providing educational products or services for or to students or educational institutions.

The Children’s Online Privacy Protection Act (COPPA), administered by the Federal Trade Commission (FTC), requires commercial Web site operators, online services, and technology apps that target children to obtain verifiable parental consent before collecting a child’s PII. However, consent may be provided by a teacher or school where use of the site or service occurs at the direction of the school or teacher, the use is educational, and the data are not used for any commercial purpose beyond education.

The Every Student Succeeds Act (ESSA) continues the protections that were in the No Child Left Behind law, and also adds specific privacy protections, including a requirement that grant recipients understand their responsibilities under FERPA, and the prohibition against creation of a national database of PII. Also, Title II grant funds may be used to support training in the appropriate use of student data to ensure com¬pliance with FERPA and any applicable state and local privacy laws and policies.

State Laws Protecting Student Data Can Go Too Far

In 2015, more than 100 state bills on student data use were introduced across the country, including outright prohibitions against the collection of certain types of data, restrictions on the use of data, and data protection requirements. Enacting legislation without careful deliberation, however, can produce unintended consequences. For example, requiring schools to destroy student records after the student leaves the school eliminates transcripts for graduates or records for students who change schools. Likewise, the report cautions that requiring prior consent for disclosure of any data to a third party, including researchers, could skew the data and impact findings. Prohibiting outsourcing data security and storage to a third party could impose virtually insurmountable challenges to school districts, many of which lack the internal capacity and expertise to bring this function in house.

Going forward, the technology industry, privacy advocates, and education organizations recommend the following guidance and practices to safeguard student data:

  • Schools districts should develop, in collaboration with parents and educators, policies related to the collection, use, and safeguarding of student data, and procedures for responding to data breaches, and designate the office or individual responsible for compliance.
  •  Educational institutions should maintain control of student data and grant access only to those with legitimate educational needs.
  • Education institutions should be transparent regarding the types of data being collected, the purpose for which it is being used, and with whom data are shared and for what purpose.
  • Those with access to student data should have clear guidelines and training regarding collection, use, and security procedures.
  •  Data mining for advertising and marketing purposes should be expressly prohibited.
  • Data security procedures and practices should be reviewed regularly.

NEA has also joined more than two dozen national education organizations in signing onto the Principles for Using and Safeguarding Students’ Personal Information.

Read NEA’s full report here.