Student data privacy is quite a different topic from the headlines most people read concerning data breaches. It is not about malicious intruders hacking or stealing credentials to get into a system to steal corporate intellectual property or records to sell on the dark web. Student data privacy concerns, specifically, center on the misuse of personally identifiable information, known by its acronym PII.
This can be knowingly done for gain — i.e. marketing or future sales — or it can be done with good intentions, as in capturing and using data about an individual to deliver more tailored learning experiences. Even if being done in the aggregate, there are still concerns of misuse.
Student privacy first entered the national conversation in 1974, with the passage of the Family Educational Rights and Privacy Act (FERPA). Prior to FERPA, schools could release a child’s records to third parties, such as the government or the police, without parental consent or even without allowing parents access to those records. FERPA was created to prevent such practices, requiring parental consent for the release of any student records to a third party.
Subsequent revisions made to FERPA have enabled schools to share student data with any third party designated as a “school official” (contractors, consultants, volunteers, etc.,) without parental consent. A separate revision also allowed for the release of student data to organizations to conduct studies or audits on the effectiveness of educational programs — significantly increasing the number of parties with access to student data.
Controversy over weakened laws
In 2014, a student data privacy controversy sparked around the practices of a new digital learning company inBloom, which then kick-started a debate on student privacy and data storing and sharing that has not yet abated. According to the Parent Coalition for Student Privacy, “For the first time, parents were made aware of how federal privacy laws had been weakened to encourage the widespread disclosure of their children’s personal information by states, districts, and schools to third parties without parent knowledge or consent.”
The inBloom controversy combined with weaknesses in the Family Educational Rights and Privacy Act FERPA (and the inability to shore them up at the Federal level) have driven many states to create their own individual laws. According to the National Association of State Boards of Education, 38 states have considered 112 new bills on student privacy in 2016. Student privacy laws in Colorado and California currently stand out as models or standards for others.
One of the most robust, Colorado’s Student Data Transparency and Security Act, goes so far as to require that student’s PII be destroyed (not simply deleted) after a period of inactivity or non-use, or upon request from a school district. Schools must also ensure that any companies they do business with that have access to the student PII (and any subcontractors working with those companies) adhere to these privacy and protection policies. Several states have also followed California’s example, with laws that prohibit service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes.
More than grades and attendance
While student data is comprised of grades, attendance and transcripts, it can also include data such as login details, device data, location information and social media interaction on sites such as Twitter and Facebook.
In March 2015, New Jersey blogger and former Star-Ledger writer, Bob Braun published a private email from a local school official to her superintendent colleagues. The message revealed that large publisher Pearson Education was monitoring social media sites to find students who may be leaking information about tests administered by the company. These tests were developed by a number of states in conjunction with Pearson and were intended to measure student preparedness after graduation.
Many parents and educators, including the American Federation of Teachers, criticized the company’s monitoring activities. Others argued that the company was simply protecting the integrity of its tests. Through a statement on their website, Pearson stated that the monitoring was contractually required as part of its agreement with the states.
The Pearson incident raises important questions about privacy versus marketing and service strategies. Thousands of companies monitor social media for mentions of their company and products. If a student publicly posts something on Twitter that is tracked by a company like Pearson, is that an infringement on the student’s privacy? Or, is it simply a company implementing modern research and customer service strategies?
As the reach of technology extends deeper into our lives, technology companies and policy makers are discovering that it can be difficult to discern public expectation around privacy. Moreover, we are learning that perceptions of privacy are often more important than legal limits and definitions to a product or program’s success.
So who is responsible?
Ultimately, all risks associated with student privacy falls on the shoulders of a school district’s IT administrator. Is it just assumed that those IT administrators are being diligent about student privacy? It would be nice if that assumption could be made, but it doesn’t seem realistic. IT administrators have a lot on their plate, and while they all may do their best, all are not experts on student privacy, its implications and its enforcement.
Government focus on student privacy will continue to grow and change, as we’ve seen over the lifetime of FERPA. And, while politicians can discuss what methods are right and wrong for protecting information, the stakeholders who most directly interact with students and their data must also play a leading role in advancing student privacy.
IT vendors and schools must align to advance privacy awareness and secure student data. Both groups affect privacy, protection, and security, but in much different ways. To effectively determine the best methods of protecting not only student information, but also how students interact with technology, vendors and schools must work together.
Here are six things schools can do to better ensure student data privacy.
Create clear governance policies
Schools should review laws to create policies that include definitions for provisioning and access rights in order to control who has access to specific data and define procedures for how data is managed throughout the lifecycle, from acquisition to use and disposal of data inventories. Someone should be appointed to stay on top of the laws and regulations relevant to your district. These regulations are evolving — fast. You need to make sure that your governance functions and policies are in lock-step and even anticipate the next round of changes.
Lock down access to PII with IAM
Focus on institutionalizing governance policies inside a modern identity and access management (IAM) solution to ensure that only authorized teachers, staff, and specified contractors have access to PII data. Less is more. The fewer people with access, the less chance of issues and violations. This also creates a group that is easier to stay on top of and train regularly.
Manage data with precision
Student data privacy and security relies on controlling what data is synchronized and with whom. Being precise and in control about how data (and what data) is synchronized and which vendors and groups have access to specific data is the easiest way for schools to ensure student data is being handled properly. For example, a textbook vendor shouldn’t have access to students’ home addresses and phone numbers. Rather than granting vendors access to every type of data on a student, there should be attribute level, granular control of what is synchronized. Automating the bi-directional sharing of student and roster data required by today’s more sophisticated learning management systems and digital textbook systems can also provide such granular control over what data is shared.
Randomize data whenever possible
Generate unique usernames that are not tied to the user, making it impossible for an outsider to look at a login ID and identify to which student it belongs, thereby making the data anonymous.
Data should be stored (i.e. at rest) and transmitted securely using encryption, so that if data were to be leaked or obtained by an unauthorized party, it would not be usable.
Vet your vendors
Be clear about where your vendors stand on student data privacy, and only work with vendors that have taken the student data privacy pledge if they will have a need to collect or handle K-12 student data. The pledge, managed by The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA), is not the end-all when it comes to ensuring the security of your students’ data, but it is a good first step. Vendors that make efforts to comply with the pledge’s guidelines are much more likely to understand and take student data privacy seriously. You should also make sure that your vendors are clear about your specific state laws. Most vendors will be familiar with national laws, but it is hard to stay on top of state laws, as many are new, constantly evolving, and vary from one state to another.
Technology is moving fast and new applications, along with the quest for a more customized learning experience, are making student data privacy a growing and more complex issue. All parties must work together to go beyond securing student privacy and focus on the broader and critical mission of securing students’ actions and interaction with technology.