Lack of clarification around FERPA has created a game of ‘telephone,’ says the Data Quality Campaign.

Asking state leaders to use data to drive school improvement and innovation sounds like a logical idea, but how can they also maintain student privacy in this often treacherous digital age? To help answer this question, the U.S. Department of Education (ED) on April 7 released a few innovations of its own.

Student data privacy is not a new concern. In 1974, the Family Educational Rights and Privacy Act (FERPA) was created to address the issue. But as the world goes digital, data breaches become an everyday occurrence, and ED continues to push for data-driven decision making as part of its school reform movements, it’s time to give FERPA a 21st-century makeover, experts say.

The push for a revamp comes not only from digital privacy concerns, but also as all 50 states have committed to building education data systems need to meet the September 2011 deadlines of the federal stimulus.

“The clarification of how FERPA applies to statewide data systems will be in sharp focus in the coming weeks,” said the Data Quality Campaign (DQC) in a press release. “In the 30 years since FERPA was enacted, the data landscape and the role states play in collecting, sharing, and using education data has changed, which has raised new questions about student privacy protections. States have sought clarifications that would not weaken privacy rules, but rather provide clarity and strengthen a confusing and outdated law.”

To meet the needs of privacy in the digital era, Education Secretary Arne Duncan is asking lawmakers to amend FERPA to ensure that ED’s implementation of the law “continues to protect the privacy of education records, as intended by Congress, while allowing for the effective use of data in statewide longitudinal data systems … as envisioned in the America COMPETES Act and furthermore supported under the 2009 [stimulus].”

“Lack of clarification around FERPA has created an unfortunate game of ‘telephone,’ in which different players have received, understood, and passed along different versions of what they have heard about FERPA,” said Aimee Guidera, DQC’s executive director. “States have received jumbled messages, which have created hesitancy to act. We hope these regulations will provide the clear answers that states need to move ahead to support … data use for continuous improvement and protect the privacy, security, and confidentiality of student-level data.”

In an interview with eSchool News, Guidera highlighted some areas where states have needed further clarification of how to comply with FERPA as they build out their data systems.

State lawyers and education agency lawyers often have to make up their own interpretations of how FERPA policy dictates data-sharing, she explained, adding: “This often leads to policy differing from state to state. So while state X can do one something with data sharing, state Y can’t.”

Guidera also said that many times data can’t be linked across K-12 and higher-education sectors because of misunderstandings of FERPA.

Another example, said Lyndsay Pinkus, DQC’s director of federal policy initiatives, is that experts can’t use the data for research and audits, because they’re not sure if the practices comply with FERPA. “For this reason, many agencies aren’t clear if they can conduct research on the schools’ behalf,” she said.

To help resolve these issues, ED has proposed four key initiatives:

1. Chief Privacy Officer: Kathleen Styles will become ED’s first chief privacy officer. Styles will serve as a senior adviser to the education secretary on all of ED’s policies and programs related to privacy, confidentiality, and data security. According to ED, Styles will head a new division dedicated to advancing the responsible stewardship, collection, use, maintenance, and disclosure of information at the national level within ED. She also will coordinate technical assistance efforts for states, districts, and other education stakeholders, helping them understand important privacy issues—such as minimizing unnecessary collection of personal information.

2. Privacy Technical Assistance Center: The PTAC has been established within the National Center for Education Statistics (NCES), which is a section of ED’s Institute for Education Sciences. PTAC will serve as a one-stop resource for the P-20 education community on privacy, confidentiality, and data security. The center will develop a privacy toolkit that includes frequently asked questions, a library of resources, and checklists for data governance plans. PTAC also will make technical assistance site visits to states and coordinate regional meetings to share training materials. The center’s help desk is now available to take questions on these issues. To access the PTAC website or submit a question, visit http://nces.ed.gov/programs/PTAC/.

3. Best Practices: NCES has launched a series of technical briefs that offer best practices for data security and privacy protection. The briefs are intended to serve as resources for practitioners to consider adopting and/or adapting to complement the work they’re already doing. Three briefs already have been released and are posted at http://nces.ed.gov/programs/ptac/TechnicalBriefs.aspx.

4. FERPA Clarification: ED is releasing a Notice of Proposed Rule Making (NPRM) under FERPA. The proposed regulations would give states the flexibility to share data to ensure that taxpayer funds are invested wisely in effective programs, as well as increase accountability for institutions that handle FERPA-protected records.

In its NPRM, ED says FERPA would be strengthened to ensure that every entity working with personally identifiable information from student education records is using this information for authorized purposes only.

Schools will be able to implement directory information policies that limit access to student records, preventing marketers or criminals from accessing the data. And states will be able to enter into research agreements on behalf of their districts to measure the success of programs, such as early childhood programs that effectively prepare kids for kindergarten.

In high schools, administrators would be able to share information on student achievement to track how their graduates perform academically in college, according to the NPRM.

“Data should only be shared with the right people for the right reasons,” said Duncan in a statement. “We need common-sense rules that strengthen privacy protections and allow for meaningful uses of data. The initiatives announced today will help us do just that.”

ED said it welcomes public comments on the proposed regulations. All responses will be reviewed with the goal of publishing a final rule by the end of this year.

The full NPRM can be found at http://www.ed.gov/fpco. To weigh in on the proposed regulations, stakeholders must leave their comments at http://www.regulations.gov by May 23.

“Clarifying and enforcing FERPA is only one piece of the puzzle,” said the DQC. “States also have a critical responsibility to implement strong policies and practices, aligned with best practices from other sectors, to protect student information.”

DQC will release a new publication providing guidance to states on these issues on April 28.

“Despite some attempts to portray it as so, using data and protecting the privacy, security, and confidentiality of student information are not mutually exclusive goals,” said Guidera. “As a nation, we must address the political, cultural, and technical barriers to appropriately, securely, and effectively use data to improve our nation’s education system.”

Links:

DOE FERPA Proposal (in full) (PDF)

DQC

Webinar on FERPA proposals

DQC’s recommendations on building education data systems (PDF)