Updating FERPA, after all it’s only 40 years old

This week Congress talked about improving legislation to protect student privacy. The Subcommittee on Early Childhood, Elementary and Secondary Education conducted a hearing to discuss updating FERPA and it is important that student privacy is being discussed in Congress to raise awareness of this issue.

FERPA was enacted in 1974 and what this session made clear is that the 40 year old law can’t keep up with the rapidly developing education technology industry. So yes, FERPA needs a facelift. The discussion is moving beyond attempts to prevent the collection of data to become a dialogue involving students, parents, educators and industry leaders. Now, I am not saying it’s all good and we have nothing to worry about but I am encouraged when listening to testimony acknowledging the challenges ahead and the desire to present Congress with facts and information that will help them make informed decisions. More importantly, I feel Congress asked some of the right questions – what is the role of third party vendors, what data should we collect, what does it mean to have an SLDS and how long should we retain the data? The underlying problem is how to support and improve FERPA without shutting the system down. The hearing was not about overreach. It was about finding a balanced approach to updating a law to protect student information.

I found particularly interesting Joel Reidenberg’s proposition of data minimization: how much data should we really collect and do we need to collect every detail of a child’s educational journey? We ought to critically examine what data is required to improve education and serve each learner’s particular needs. And it’s complicated. As Shannon Siever pointed out – do we need to do a biometric scan on a student in order to deliver school lunch? No. But biometric data can provide valuable insights and benefits for a student undergoing speech therapy. So what do we limit?

Another important point discussed was that of data ownership. We need to define this concept because what data ownership means for industry is not the same as what data ownership means for students. Does one recognize students own their data while still acknowledging that third parties can use that information?

Though much was discussed during this hearing, much has yet to be discussed. If we overhaul FERPA, we must be mindful that we are not limiting our ability to study why some students are being left behind. That we adopt a comprehensive approach to the collection of information but that we protect the information of students with learning disabilities, for example.

This Committee will be well served if it considers parents as partners and not bystanders. Consider who generates the data (students), who holds the data (schools) and how the data is being used (third party vendors) in schools. Strike a balance of personalized learning and safeguarding data.

I urge Congress to be careful when considering changes in FERPA and to think seriously how these changes will impact the ability of schools to use technology to better educate students. In an effort to limit data usage we may limit how we can help students learn.

Without modernizing FERPA innovation will stall. If parents do not feel that we have a law on our side, there will be a constant tension between schools, students and service providers. FERPA needs to be updated to fit what happens in schools and technology today to build trust between all the stakeholders, foster cooperation and provide privacy protection. And don’t forget our students need to have a voice in the process – what do they expect an updated FERPA will deliver to them?

If you missed the hearing, here is the archived webcast - Congressional Hearing


A Privacy Dilemma


What do you do when you are faced with a privacy dilemma? This week, one of my children brought home a consent form; and it wasn’t for a field trip. It was a consent form to allow pictures to be used on a website used by many to raise funds for school projects. So I am faced with a privacy ethical dilemma. Do I protect my child’s privacy by not allowing pictures of her to be used as the letter states “on our website and may allow our donors to display all photographs on their websites and social media channels and to otherwise use the photographs for publicity and promotional purposes” or do I allow her picture to be used because her teacher is raising funds to be able to afford projects that shall further her education?

So here I am sitting with this letter trying to make the right decision. But is there a right or wrong in this case? You see, it’s difficult because ultimate ethical systems are impracticable. It is nearly impossible to define with absolutes. Ethical systems are workable as sets of principles. So do I give permission for my daughter’s pictures to be used so that her class can get much needed resources sacrificing her privacy in the process?

Our kids care about their privacy. It matters to them. How would they feel if we asked them if we could take their picture and post it for the world to see? I wonder sometimes what it feels like to be a kid these days. Whenever any of us pulls out a camera to document the recitation of a poem or performance of a play and post it on social media, our children’s privacy becomes public. When I was growing up I could see parent faces, now I imagine kids see camera phones…but I digress.

And this is the point when we need to stop thinking about what we want and shift our focus to the children and ask ourselves – what do they want? How do they feel? This picture, this image of my kid, is becoming part of her data trail. A data trail that she is having very little say in its forming. If others can take this picture and use it in other materials it is becoming impossible for my daughter to control her data. Which is why the issue is so complicated. But in controlling the use of her picture we are in a sense limiting the ability for the school to raise funds. And it is a struggle to deal with this tension. Who gets to decide what is right? Am I right or should the school get as many opportunities for funds as they can? Thus the privacy dilemma, in the effort to protect one am I unwillingly affecting others. A photograph is more than just a photograph.

So what do you do? Sign the paper or not?



Trust and Privacy in Education


It’s been a busy month for data privacy. We had Data Privacy Day, President Obama announced new privacy protections for students and the Department of Education is working on a National Education Technology Plan. Inherent in all these initiatives is trust. Learning to trust is probably one of the most difficult things we need to learn in life. Choosing to trust an organization with personal information is probably not as important as the decision we must make when we trust someone to educate our children. So if we trust our schools to educate our kids why can’t we trust schools and service providers with our children’s data?

Fears about the misuse of student data have become a central part of the debate in education. And the data breaches at Target & Sony only instill greater concern among parents regarding the security of their children’s data. Further, it is difficult to dismiss concerns when we read privacy policies in which companies might be able to classify student data as an asset to be transferred to a third party purchaser in case of bankruptcy. It is clear to me that we need to build trust amongst service providers, schools, parents and students. Trust is more than just being compliant with the law. Trust is about building relationships so that we all understand the sensitivities around data. Trust is about designing an ecosystem that enables learning to take place but protects student privacy.

Data privacy is difficult, it takes work, it’s complicated, it’s emotional. It seems that as much as we want to simplify the use of technology we inherently complicate it. We need to think about what is “right” and “what works.” We can’t continue to look at privacy as a right or wrong alternative. We have to be able to discuss the implication of the use of student data and what we are willing to do to reach out and trust each other to do the right thing. Trust is about transparency and transparency enables trust.

If parents and schools assume that technology service providers are “preying” on student data we are getting off to the wrong start. Everyone is on the defensive. Parents don’t trust technology, technology doesn’t trust parents and so it goes. How does technology mistrust parents? By not being fully transparent of their practices because of fear of being shut down. On the other hand, service providers are not going to gain our trust just by changing privacy policies. It is important that privacy policies align with protecting student data. We cannot accept a privacy policy that complies with legal technicalities just because they were called out on a blog or newspaper article. Why not have adequate policies from the beginning? Why must we feel, as parents, that we need to scrutinize these policies because if we don’t we are leaving our children vulnerable?

We need to work on creating opportunities to educate different stakeholders in education. We must recognize that students are central but their data is critical if we are to create opportunities that service them in the best way possible. We can’t get this wrong. We have an opportunity to work together to develop a thoughtful and comprehensive student data privacy plan. Our students, our kids, have too much at stake. If we do not build trust, work on it, and maintain it we stand to lose. Once trust is lost, it is almost impossible to get back.



Balancing Equity and Privacy in Education


We are celebrating Dr. Martin Luther King this week. Dr. King, who led the Civil Rights movement in the United States from the mid-1950’s until his death by assassination in 1968. Much has been said that education is the “civil rights issue of our time,” but when hasn’t education been a civil rights issue? You see, many minority groups have always seen education as the way (sometimes the only way) to fight discrimination. Unfortunately, discrimination and bias is present in schools today. Black students are expelled at a higher rate than white children. English Language Learners are more likely to be disciplined and discriminated against because of their and their parent’s lack of English proficiency. And although education is the surest way to fight discrimination, students of color are more likely to be in underfunded schools. But we would not know this if we didn’t have the data to back it up.

It has only been 60 years since Black and White children could legally sit side-by-side in public schools in much of this country. Studies have shown that student and teacher diversity is essential to optimize teaching and learning. Practices enacted to correct some of this have become policies that support educational goals that help students of all ethnic and racial backgrounds. We would not be able to determine this if we didn’t have hard data to identify the problem and measure the success of programs intending to address it. Sound policy requires that we have a comprehensive picture of what happens in schools.

But this doesn’t mean the students who we are trying to help forfeit their privacy. Students must feel safe in making mistakes, confident their learning shall not be used against them in the future. They ought not worry that a learning disability will restrict the opportunities available to them because of what their record shows. Privacy allows students to fearlessly take risks, make mistakes and grow as learners. But if they are not offered protection, they may choose to opt out, limiting the available data, invalidating the conclusions to be drawn. If we are concerned about their future, isn’t it our job to set our students up for success?

As we advocate for student privacy we need to acknowledge that bias and discrimination are real in schools today. We need to make sure that as we address issues of privacy in education, we are cognizant of the learners that will miss out on educational opportunities because we cannot ensure that their privacy will be protected and their information will not be used against them in school.

I encourage all of us to seriously address these issues but we cannot do so without reliable studies, data sets, and trends that are studied over time. Otherwise, what is our argument? Because I “think” this is happening? We can’t ignore the entrenched bias in education but we can only address it with effective data. So as we continue this debate, let’s not forget that high quality education and privacy is not only the right of the few but of all students.


The President talks Student Privacy…wait! What??

  Student Data Privacy has become such an important topic that even the President is talking about it. Earlier this week, President Barack Obama outlined his privacy and security agenda at the FTC in advance to his State of the Union Address. Why is this important for students and parents? Because, the Administration is taking notice. The President called for companies to make a firm commitment to use student data only for educational purposes and sign

A student data privacy wish list


The New Year is here and a couple of weeks ago the kids wrote what they wished for in 2015. It was interesting to read what they hoped for in the New Year (good grades, help people and can my little brother leave me alone). We all have our wish lists for the New Year, so I stepped back and started to think what my wish list for student data privacy would look like.

It is hard to name one issue I would like addressed in the education technology sector when it comes to student data privacy, my list is much longer than my kids wrote but here are my top picks. With the ed-tech industry stating it is all good (somewhat) and some privacy advocates saying it is all bad (some of it, but not all), it is difficult for parents and schools to know what concrete steps shall ensure the privacy of student data.

For starters, I would like to define who owns student data. We need to take a close look at the definition of ownership and acknowledge students, so our conversation shifts from one in which privacy (and education) sometimes happens to a conversation in which students are telling us what is important to them when it comes to their education and privacy. As I have more and more conversations with students of all ages, I realize they are increasingly aware of how they contribute data about themselves to a system that does not give them much attention. 2015 should be the year we learn to listen.

Parents need to be informed. And I don’t mean just by issuing boilerplate press releases in which companies tell parents they care about privacy. Or School Districts sending home flyers that say student data is safe. We must invest in workshops and informational sessions in which parents can have a genuine conversation about what is important, why it matters and what we can do about it. The conversation about data collection has to turn from one of what data should and should not be collected to one in which we discuss the best ways to use the data to help our students.

Which brings me to the value of data. The phrase “data is the new oil” can certainly be true. There is arguably, great profit to be made with data in many different sectors. But I hope that in 2015, the value of data for parents and students is not strictly a monetary one; for the value lies in its impact on improving our children’s education. Parents ought to be shown the direct benefit for their kids. Unless they see these benefits, the conversations about Big Data sets in education will remain irrelevant.

With the different data breaches that occurred in 2014 in the education sector, we need not only ask the companies and schools holding student data to be responsible. We must be able to hold them accountable for misuse of student data.

My list could go on and on but if I had to pick the one thing that I think is the most important it’s  – data privacy training. Training for parents, teachers, schools and students. We need to understand the system better. I want education sessions that inform students on their data, how it is used and how to be responsible owners of their data, empowering them to be responsible digital citizens.

Last year was an interesting one (to say the least). My focus is on taking advantage of the lessons learned and moving the conversation forward. If 2015 is anything like last year, we are in for an interesting debate. How will new platforms use student data? What new studies and research shall be funded to “improve” educational outcomes? Can data truly be de-identified? What biases are being unintentionally created when some students opt out of data collection? What learners are being left behind when there are opt outs in data sets? Are we being sensitive to other cultures and addressing their concerns when it comes to their privacy? How does privacy or lack thereof affect a student’s experience?

I don’t think we will be able to answer all of these questions in one year but I am sure we will be discussing them. All of them. In the meantime, I wish you all a most wonderful 2015! What’s on your wish list?



Is Student Data Privacy the New Black?

Student data, education and privacy are not new topics, but in 2014 we seemed to debate them everyday. Has student data privacy suddenly become fashionable? Maybe. It certainly dominated the headlines and students and parents are now central participants in the conversation.

So what happened to make Student Data Privacy the “it” thing?

Possibly the biggest story of the year was inBloom’s collapse. inBloom stood to be an efficient, scalable and economic solution for school districts that did not have adequate infrastructure for hosting and managing student data. Arguably the most misunderstood project in 2014, inBloom shut its doors in April. Was student data privacy saved? I don’t think so. Underfunded schools continue to lack the resources wealthy districts have when implementing student dashboards. And while inBloom closed, most school districts are still struggling with the same privacy concerns that existed before inBloom appeared on the scene.

Google began the year wrapped in controversy when we read how they were “data mining” student emails sent through their Google Apps for Education package. There was a lawsuit, but most importantly, Google changed their Terms of Service and stopped scanning emails for the purpose of targeted advertising. This is positive news particularly in light of the New York City Department of Education’s recent announcement that it had approved the use of Google’s Chromebooks for use in the city’s public classrooms. That is about 1.1 million students in NYC using Google products. With so many students using Apps for Education parents need to be assured their children’s emails will not be used for any other purpose other than what the school environment calls for.

New York state also contributed to the debate in 2014 by appointing the first State Chief Privacy Officer for Education. This was big news and it ought to be a valuable resource for parents and schools. Uniform best practices across the state should certainly benefit most students. However, here’s the rub, NY still doesn’t have a permanent appointee to the position. So we must wait and see. New York also issued a Parent’s Bill of Rights for data privacy. Unfortunately it fails to dig into the issues of data ownership, opt out consequences and parental consent for certain data collection. But it is a step in the right direction, and I am hopeful that during the year to come NY’s CPO will clarify the many questions surrounding the handling and protection of student data.

Even lawmakers paid attention. In 2014, 110 education data privacy bills were introduced and 28 were signed into law. Most noteworthy, California’s Student Online Personal Information Protection Act was called the first law in the nation to strengthen privacy protections for the personal information of California students and permit innovation in education and technology. Senators Edward Markey (D-Mass) and Orrin Hatch (R-Utah) introduced the Protecting Student Privacy Act, an effort to update the 40 year-old FERPA student privacy law.  Not without controversy, some argue the bill is not strong enough, others argue it is unnecessary to revamp FERPA. Unfortunately, the bill has not moved, remaining in the “let’s see what happens” stage. And though the federal Department of Education issued guidelines on student data privacy, most answers in the guidelines boiled down to “it depends” and we’re still trying to figure it out.

In 2014, ed-tech companies were debated, attacked and praised. Most didn’t think they were doing anything wrong until parents brought their concerns to their attention, forcing them to take a closer look at their privacy policies.

In response to that, the Student Data Privacy Pledge came into being. Once again, not without controversy. An initiative from the Future of Privacy Forum and the Software & Information Industry Association, the pledge commits service providers to the secure handling of data for K-12 students. While some privacy advocates argue the Pledge is a mere PR move because it is not a legally binding document, I’d argue that if companies violate their own public representations they would be subject to enforcement by the Federal Trade Commission for deceptive trade practices. So there’s that.

Near and dear to my heart the website FERPA|Sherpa was launched, aimed at providing a one-stop shop for education privacy-related information of interest to parents, schools, education service providers and policymakers . And I started to write my blog (shameless plug) which has allowed me to dig and opine on topics of great interest to me.

There was a lot of discussion of student data privacy in 2014. It does seem this was the year student data privacy became fashionable. I hope it’s a trend that is here to stay. A timeless classic…




The challenges of student data privacy and the opportunities ahead – my conversation with the National PTA

Last week, I was invited to participate at an event organized by the National PTA in conjunction with Microsoft to discuss the complex issues surrounding the student data privacy debate. The goal of the event was to equip PTA members with tools to become trusted messengers and champions of student data privacy. I was able to share my experiences and perspective on student data privacy as a parent.

There were many topics discussed that day such as how data are used, data sharing, privacy policies, the Cloud and Big Data. It was an ambitious conversation but one focused on balancing the benefits of collecting student data while ensuring this information is kept private and secure.  I was also able to deliver the message that a class of 5th graders eloquently expressed to me – that we need to be smart about protecting student data because it is important to them.

With that in mind we talked about what Big Data sets in State Longitudinal Databases can do for students and what it cannot do for an individual student. Big Data sets tell important stories and it’s valuable information. We discussed how this data allows us to identify student needs like providing free lunch to kids who need it or how can we address chronic absenteeism, as well as how studies that are generated from Big Data sets allow us to identify issues of discrimination and bias in schools. Recognizing we need the data, how can we properly de-identify it so that it cannot be back mapped to a particular student. Maximum protection of data is important but a big concern from the group is that we provide adequate training to those allowed to work with student data.

Having privacy protections is not enough if we do not have adequate training for school staff on what information can be disclosed to others not only while a child is in school but years after they have left the school. And should we be addressing “data term limits” as to how long student data are retained after a child finishes high school. We discussed the ethical uses of data and what are beneficial uses to help our most vulnerable learners. For example, English language learners might not understand how the data can be used to help them address their different learning needs. How can we assure them that the data will be ethically used and only disclosed to those that are allowed to see the information in order to help them?

Or how does having information on students with learning disabilities help schools address their issues as learners with different needs. How can we take the data and use it to help students but give them the assurance that their disability will not be disclosed to those who do not need the information. The biggest challenge we agreed on, was building trust between schools, parents and service providers that student data are being used responsibly. By building trust we can then focus our conversation on students and providing them with tools to decide what data is collected, how it can be used and ultimately who has access to it.

Focusing our conversation on these issues helped us discuss students and their needs, data and its ethical use, and being responsible custodians of data. At the end of the day, we recognized that having adequate training and materials to support those working with student data is important. But just as important is recognizing we need the data to help students not only at a macro level with longitudinal databases but at a micro level in schools every day for individual students. I was encouraged that our conversation focused on how we can help students and protect their privacy. Our conversation was rich in addressing the issues surrounding student privacy and ensuring that schools and parents understand the importance of being responsible custodians of data. We moved away from what data should and should not be collected and focused on helping students and empowering students to be effective digital citizens.


Let’s talk big data

Big data can be messy and complicated or elegantly simple. Many big data projects begin from the need to answer specific questions and with the right analytics in place organizations can find actionable insights into their operations. In addition, big data allows for different variations of computer aided designs to check how even minor variations can affect outcomes. Big data projects can obtain, process and analyze data in a variety of ways. Every data source has different characteristics and provides valuable information. With this goal in mind the National Science Foundation awarded a $4.8 million grant to an education project called LearnSphere. LearnSphere is poised to hold large amounts of anonymous student information that is routinely collected for different data analysis purposes. Most importantly, it will allow for large scale analysis down to “being able to detect emotional states from keystroke data”

So what does all this mean? I had a few questions and Dr. Kenneth Koedinger, who is spearheading this effort, was open to address my questions and concerns. Ken is a professor of Human Computer Interaction and Psychology at Carnegie Mellon University. He has an M.S. in Computer Science, a Ph.D. in Cognitive Psychology, and experience teaching in an urban high school.

Although I admire the ambitions of the project, aiming for a deeper understanding of the learning process, my initial concern was the lack of individual student acknowledgment. Data analytics can be a great tool if we need to raise efficiency in production or predict consumer behavior but students must not merely be viewed as products to be improved upon. How do we ensure that the use of such data does not aggravate existing bias and discrimination in education? What measures shall protect our most at risk students– students with learning differences, students marginalized for their race, religion or nationality. And while the project insists that kids are not numbers, the data and information generated from students are looked at as numbers, so that the data and information can be looked at in the most unbiased way possible.

And this is where the project gets interesting. First, the data used for research has been de-identified. Demographic information has been removed from data sets researchers are looking at. The shared data sets are randomly assigned new identifiers and they do not indicate race, geographic location or school the information is coming from. Measures have been taken to make it difficult to tag records back to particular students. The project maintains there is no back mapping to the native records.

The main objective for LearnSphere is to improve student outcomes. What are the difficult parts of learning a course? Why do students have such a difficult time with certain mathematical problems and not others? For example, some might predict that math word problems will be harder for students to work through but as it turns out, some students did better with a math problem that used language instead of just looking at an equation on a piece of paper. The project will look at the learning barriers some students have and how can we use this information to improve learning designs. Where are students now in the learning process and how can we be sure we provide as much support as we can with the data we possess. As Dr. Koedinger clarified it for me “we are studying the terrain on a hiking course rather than the hikers” so how can a study like this make the terrain easier for our hikers? Well, LearnSphere aims to help us all identify those “expert blindspots.” For example, a teacher will know all his / her students but there are spots a teacher just doesn’t see because of closeness to the students. LearnSphere aims to help teachers create effective teaching environments so that our kids can hike the next hill a bit easier.

I still have some reservations when studying vast amounts of data. If data sets include student papers and extensive student data, the risk for re-identification exists. If we are studying data with such finite precision, at what point can the source of the data be tagged back to particular students? There can be no guarantee that data will be fully non-identifiable without an independent qualified expert review and approval of aggregation methodology. Leading de-identification experts need to be involved with a project of this scale.  I also hope Dr Koedinger will take advantage of the opportunity to work with two of the most highly respected experts on privacy, Professors Lorrie Cranor and Allessandro Aquisti, both who happen to be located nearby at Carnegie Mellon University.

I advocate for a smart and ethical collection of data for I see the potential benefits of its use. We must remain mindful of the privacy issues raised in such a project as this. Will we truly be making it a more equitable educational system or will the algorithms of big data systematically discriminate against those learners already at a disadvantage?  Projects like this can help, but only if the concerns of potential discrimination are carefully considered and the goal of helping individual students is paramount.

We ran out of time (or phone battery) when we spoke to Ken but there will be more information clarifying some of the still outstanding questions I have. Stay tuned…

In the meantime, here is a short video of Ken explaining his Learning Project


An invitation for comments on student data privacy

The National Association of Secondary School Principals has an initiative to provide policy recommendations to ensure the protection of student data privacy and appropriate use of student data to improve teaching and learning in the classroom.

This initiative is of particular interest in that the NASSP is opening their statement to public comments. We often ask for our voices to be heard in the student data privacy debate and this is an opportunity to submit comments and ideas.

Technology is making it easier for schools and States to collect and analyze data to help them make informed decisions on issues that need to be addressed and what is working in schools. Even though this provides valuable information, we must ensure that the guidelines established adequately protect student privacy. The preliminary statement has interest recommendations. In particular the section “Recommendations for School Leaders” as it focuses on communication and transparency. It asks that district policies related to student data are communicated to teachers and parents and that teachers are educated about the use of online educational services. These recommendations address some of the main concerns parents and school districts have.

The full text is below or you can read it here

Please consider making comments to the initiative. Parent feedback can provide deep insights into the student data privacy debate. This is an opportunity to offer our perspective. The comments section is open through January 7th, 2015.

   Student Data Privacy

The NASSP Board of Directors stated on November 7, 2014 its intention to adopt the following position statement, following a 60-day comment period. NASSP members and others are invited to submit comments on this statement by January 7, 2015 to[email protected]. The Board will include public comments as it deliberates final adoption of the statement at its February 2015 meeting.



To provide policy recommendations to ensure the protection of student privacy and appropriate use of student data to improve teaching and learning in the classroom.


Data-driven decision-making has become a tenet of high-performing schools and is essential to transforming teaching and learning in the classroom. The Alliance for Excellent Education says that the “effective use of data and learning analytics are both critical components of a digital learning strategy to personalize learning for many more students, especially to increase student retention and achievement in the highest-need schools (page 2).” Narrowing achievement gaps and assisting all students to be college and career ready upon high school graduation have economic implications as well. In a report examining the potential of the use of data in education, the McKinsey Global Institute estimates “the potential value from improved instruction to be $310 billion to $370 billion per year worldwide, largely through increased lifetime earnings (page 22).”

Technology has made it easier for principals and teachers to collect and analyze data at the school level, and districts and states are now creating longitudinal database systems to help them make structural changes in education that will have a greater impact on more students. For this reason, educators at all levels are authorizing third-party vendors to have access to student data. These vendors offer services that purport to assist educators in communicating with parents—improving the quality of education programs, providing supports and services for students, and providing secure data storage. In fact, every electronic device and application with a connection to the Internet could potentially be used to collect or access student data.

While the collection and analysis of student data is essential to the teaching and learning process, this must be done within parameters that protect the privacy of students and ensure that their data is used only for legitimate educational purposes. The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and generally prohibits schools from disclosing personally identifiable information in students’ education records without consent. There are exceptions to the consent requirement, including one that allows the disclosure of such information to “school officials” for educational purposes. This particular provision was expanded in 2008 when the US Department of Education approved new regulations clarifying that third-party vendors (such as those who help manage school databases or provide digital curriculum) can be included within the school official exception. While third parties must be under the direct control of the school in terms of how they use and maintain the records and only use the records for the purposes for which they were shared, there is some concern that there are still gaps in the protection of student data. Overall, while most policymakers and educators understand the value of data collection in improving educational quality, there is some concern that FERPA itself, as well as the accompanying regulations, have become outdated in the new digital age.

In 2014, a congressional hearing was held to address student data privacy issues and a Senate bill was introduced to update FERPA and clarify that third parties are forbidden from using student information for marketing and advertising purposes. Fourteen states also enacted laws to strengthen student privacy protections, and the National Conference of State Legislatures reports that more than 100 student privacy bills were introduced in 36 states. Each principals’ full understanding of and familiarity with federal, state, and district policies on data collection and student privacy requirements are essential as this issue further develops.

Guiding Principles

NASSP believes that data has the power to transform teaching and learning by helping educators identify and provide supports to all students, assisting teachers and school leaders in improving their instructional practices, and informing schoolwide improvement activities.

NASSP believes that student data should only be used for the purpose of informing education policy, practice, and research and to deliver educational services to students.

NASSP believes that technology-enhanced data collection and analysis can assist schools in the planning and delivery of a student-centered, personalized, and individualized learning experience for each student—a fundamental tenet of theBreaking Ranks framework for school improvement.


Recommendations for Federal Policymakers

  • Develop policies on the use of student data that balance privacy and property protection with the need to improve teaching and learning
  • Require strong encryption standards for any federal agency or vendor that is collecting and/or storing sensitive student data
  • Provide guidance to states regarding the collection, storage, security protections, and destruction of student data
  • Provide funding to states and districts to help them address privacy issues related to student data
  • Ensure that personal information and online learning activities are not used to target advertising to students or their families
  • Limit nonconsensual access to personally identifiable student data to school, district, or state educational agency employees.

Recommendations for State Policymakers

  • Establish a statewide data security plan to address administrative, physical, and technical safeguards
  • Develop data breach notification policies for districts and schools
  • Identify a state-level official who is responsible for privacy, data security, and compliance with all federal and state privacy laws and regulations
  • Develop policies on data collection, storage, and access to ensure that student data collected through statewide longitudinal data systems is protected from inappropriate sharing or use
  • Provide guidance to districts and schools regarding the collection, storage, security protections, and destruction of student data.

Recommendations for District Policymakers

  • Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach
  • Ensure that data security practices include proper data deletion and disposal, including purging of electronic data, shredding physical documents, and destroying the presence of all data on old electronic equipment where data has been stored
  • Identify a district privacy officer who is responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data
  • Provide training for all district staff to ensure they understand basic legal requirements, their responsibilities, and specific district policies concerning student data
  • Ensure that principals receive training on policies and procedures that support prevention of—and specify steps to be taken in the event of—a data breach. This should include procedures to notify authorities, parents, and other community members
  • Educate district staff about online educational services (paid and free) and how to determine whether they comply with FERPA and state and district regulations
  • Coordinate an annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, or procure and contract with service providers
  • Ensure that all third-party vendors that collect or have access to student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information, and prohibit redisclosure of personally identifiable information without parental consent
  • Establish a policy whereby all data created by students, teachers, and other school staff is an “education record” in order to maintain control of how outside providers may access the data
  • Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding
  • Prior to using online educational services, ensure that the contract or “terms of service” contain all necessary legal provisions governing access, use, protection, and destruction of student data
  • Ensure that agreements with outside providers include provisions allowing direct and indirect parental access to student data
  • Ensure greater transparency by posting on district and school websites all policies governing the outsourcing of school functions and contracts with outside providers
  • Make available a list of online educational services or apps that are used within the district.

Recommendations for School Leaders

  • Familiarize yourself with FERPA, state, and district regulations concerning student data privacy
  • Consult with your school district attorney to ensure that any technologies and third-party vendors used by the school comply with FERPA and district requirements
  • Communicate district policies related to student data collection and usage to your teachers and parents
  • Ensure that your teachers have been educated about the use of online educational services and encourage them to use ones approved by the district
  • Clearly communicate third-party vendors’ privacy, security, and breach and indemnification policies to parents about personally identifiable information that is shared with those vendors.