A very busy week for FERPA


It has been a very very busy week for FERPA and it reminds me of Eric Carle’s The Very Busy Spider – the spider wouldn’t stop building her web. So as we busily build our privacy web, introducing more and more bills, I believe it is worth discussing the implications of proposing bills that severely restrict the effective use of data. Sen. David Vitter (R-LA) introduced an amendment to FERPA entitled the Student Privacy Protection Act. However, unlike other bills, this one seems to restrict the use of data to understand how we can support learners more effectively.

The bill would only allow aggregated, anonymized and de-identified data to be used for State Longitudinal Data Systems (SLDS) and prohibits predictive analytics. At first glance, using only aggregated data seems like a good idea, but here is the issue: the bill prohibits the use of data that helps measure student outcomes. It prohibits the use of federal funds to support “affective computing” that includes the analysis of physical or biological characteristics such as facial expressions or brain waves. And while I understand the concern of a neurotypical child to have this granular information captured, to the parent of a special needs child this information could prove to be the difference between the struggle of an academic journey to a successful one. If predictive analytics are allowed, the information obtained can prove invaluable to students with special needs.

What if we cannot use the data on an SLDS to determine how we are helping English Language Learners? How can we answer the question – Do you have information on English Language Learners? If we cannot track the performance and graduation rates of ELL’s, how can we be sure we are providing those children with the most appropriate resources and whether the application of those resources is successful? Or take the high school dropout rates. If we cannot access SLDS data, how can we measure success for all students? For example, we know that the dropout rates between Whites and Hispanics narrowed from 23 percentage points in 1990 to 8 percentage points in 2012? We can’t’ answer these questions without data. And if our goal is to provide a truly equitable education system, a system that serves all students, we cannot deny the use and analysis of this valuable data. Further, how can we determine how many students with disabilities are receiving support services in schools? And are these support services effective?

It is clear that most bills relating to student privacy are looking to protect student data and to respond to parent concerns. But we must be careful that in our effort to protect students we do not impose restrictions that would rob us of valuable insights on how to better serve their educational needs. We cannot make smart decisions without complete data sets.

It is clear that with so many student data privacy bills we are responding to parent’s concerns, however, we cannot make the bills so restrictive that we cannot use the data. Instead of restricting the use of data, I propose we train staff and make them aware of the implication of misuse of data but let’s not shut the system down and make decisions in a vacuum. We need the data, it’s important we be able to make informed decisions. Let’s focus on having comprehensive data sets and host them in secured environments with staff trained in the proper handling of data protocols. Knowledgeable staff educated in the ethical and effective use of data can better protect student privacy than removing data from an SLDS. Only by responsibly using relevant data can we ensure we deliver an equitable school system for all students.



Storytelling as Privacy


If you are the parent of a 5th grader in public school and live in NYC you most likely went through the dreaded “middle school application process” and while there are many issues to discuss around the concept of “choice” in schools in NYC one particular aspect caught my attention. A few weeks ago, this group of anxious and eager 11 year olds received their middle school acceptance letters. Teachers and Principals sent the message home to be mindful of their classmates who may not have gotten into the school of their choice and to respect their privacy. But what does that really mean to an 11yr old? So I asked my 11yr old friends (full disclosure they are my 11yr old kid and group of friends) what they thought privacy means to them. Some said Privacy is “when grown ups leave me alone” or “when I don’t want to tell someone something about myself.” Pretty interesting coming from 5th graders. To them, the notion of privacy isn’t a particular rigid set of rules and regulations. Privacy is having agency over what information they choose to disclose or not depending on the situation.

It is remarkable that to these truly connected kids, most of them having a smartphone, tablet, laptop, etc., their concept of privacy did not initially go to the electronic medium they were using and the data points they were providing. Their conception of ownership of their information and deciding how they disclose was central to their idea for defining privacy. They did not define privacy by what people should not see, they see privacy as their ability to control their own information and decide what story their information would tell. And I see similar responses when I talk to college students. Their idea of privacy is related to the concept of ownership. For most of them it’s about being able to decide when and what they want to disclose whether it is in conversations with their friends or in their social media accounts.

So as I watched these anxious soon to be middle schoolers receiving their acceptance letters, I could see the anxiety of their parents looking over their shoulder and friends wanting to know what school they got accepted into. But most kids wanted to be able to decide how and when they disclosed this truly personal piece of their story.

So as we continue our conversations around student privacy, as we debate whether laws should be updated to reflect technological advances, lets take a step back and think about how kids feel about these conversations about them that for the most part don’t include them. We talk about student privacy, we discuss what children’s data should or should not be collected but we continually leave students on the sidelines watching the debate about them but not asking for their input.

So yes, we are the responsible adults and should be making decisions that we believe are in the best interests of our children. But I urge all of us to include students in this debate. How do they feel about their privacy? Are we making decisions about their privacy when they would want something different for themselves? After all, it is their data, it is their information, it is their story. They should have a say on how their story unfolds.




So many privacy bills, so little time…..


It is May and so far 42 states have introduced 170 student privacy bills which is encouraging to know as a parent of children who will be students for quite some time. Of these, there are two Federal bills advancing in the US House of Representatives. On the one hand, Congressmen Kline (R-MN) and Scott (D-VA) circulated draft legislation to rewrite FERPA. On the other, Congressmen Polis (D-CO) and Messer (R-IN) introduced the Student Digital Privacy and Parental Rights Act. The goal of this act is mostly to regulate online service providers in a way that balances data security without hindering the ability of teachers, schools, and other stakeholders in using the data to effectively support instruction.

Which one is better? Well, I don’t think they are mutually exclusive. I think we can all agree that FERPA needs to be updated. It needs to address the privacy challenges that come with technological advancement. Something the 40 year old law hasn’t been able to keep up with. But what is interesting on the Polis-Messer bill is that it balances the essential need to protect student data and enables (and encourages) the use of technology without implementing unreasonable restrictions that would impede the effective use of data to help students improve their learning outcomes. More importantly, the bill bans online service providers from creating profiles of students that could be used for advertising to them or their parents, thus eliminating that creepy factor of profiling students for marketing purposes. And I am all for data use but certainly not when the data collected on my child will be used to advertise products or services to them.

Unfortunately neither bill addresses the dire need for training teachers, principals, school boards and even parents and students. Training so desperately needed. Without adequate training, they will not be able to identify what is appropriate (and legal) use of data. How can we expect schools to make the right decisions when it comes to safeguarding our children’s data when they do not have adequate training on data privacy and security? Furthermore, I do not see any acknowledgement of learner ownership in either bill. We must recognize students as the ultimate owners of their data, for without this recognition we will once again fail to make privacy something that is inextricably linked to their education and continue to make privacy something that just happens to students – if they are lucky. Finally, I find the option of opting out of data collection a weak portion of the bills. And it is simple – if we have the option of allowing students to opt out of LEA or SEA data sets we are limiting the ability of research organizations to determine whether education policies are working for every student or not. How can we build an equitable education system when we are analyzing incomplete data sets? They will then undoubtedly provide skewed results? We cannot adequately protect our most vulnerable students if policymakers are basing decisions on incomplete data. I urge all of us to think about the inequities we might be inadvertently creating when opting out of educational data sets. We cannot achieve a true equitable educational system with broken data.

Both bills have a way to go before they can become law, but this is why it’s important to join the conversation now when many states and the Federal government are first looking seriously at protecting student privacy – and that matters.

We have the responsibility and opportunity to help shape the debate that will result in policy at the State and Federal level and we cannot let this pass by. In the meantime, President Obama continues to encourage progress in safeguarding student data. Earlier this week the White House commended Representatives Polis and Messer on their efforts to protect student privacy. And well, that has to count for something – right???



A Guide for Parents on Student Data Privacy!


There are many acronyms in education but some of the most talked about recently are FERPA, COPPA and PPRA. And what does all this mean? They are 3 of the main Federal laws that pertain to student data and privacy. As parents, we need to have an understanding of these laws and how they protect our children’s privacy, but it can be confusing, so in an effort to provide information to parents the Future of Privacy Forum, Connect Safely and the National PTA launched the Parent’s Guide to Student Data Privacy to help. This guide provides an overview of the law for students and parents for it’s crucial they understand their rights.

There are increasing number of documents dedicated to addressing student data privacy – the Student Data Privacy Pledge, endorsed by President Obama (shameless plug), the Student Data Principles and now a Parents’ Guide. What is interesting is that they all address different aspects of student data privacy. The Pledge is a voluntary commitment by Ed-Tech companies to safeguard student data. The Data Principles is the education community commitment (teachers, principals, state boards of education, etc.) to build transparency and trust. Both these commitments are important, but the laws that protect student’s privacy and rights can be downright confusing. So in comes the Parent’s Guide to Student Data Privacy which much needed answers to commonly held questions – who has student information, what is FERPA & COPPA, how are they different and what do they protect? When can parents “opt out” of their children’s information from shared?

What is interesting is that all these efforts are conducive to collaboration. They might not be a cure all, but they certainly start the conversation, so let’s discuss the challenges in protecting student data in this rapidly changing world. We must ask questions, ask for comprehensive protections, demand parents be included. Otherwise, their concerns will not be represented.

Regardless of how student data is maintained in schools, parent and student rights remain the same and we must not lose sight of that. We need to know what protections the laws provide as well as how other players in education are committed to protecting student data. I encourage all to refer to the Guide. It has a number of resources for parents wishing to dive deeper, but at a minimum, we now know where to start and can be advocates for our children.

To read the Guide please click here. Hosted at our very own FERPA|Sherpa site…..more shameless plugs….




The positive side of data collection  


When we’re talking about student data privacy we’re usually talking about things that can go wrong. We forget what a powerful tool data can be. Not only does it help teachers, parents and students identify strengths and weaknesses, but it can serve as a powerful instrument for creating equity, so long as the information is managed properly with the appropriate safeguards in place.

As I talk to people involved in student data privacy, the one question that keeps coming up is “What do you want us to know and focus on as we work on student privacy?” Student data privacy is a personal issue because it involves children. So it is important that we focus on what information we need to protect for students and how that information will be used in the future. Even though the question is seemingly simple, the answers are complex. As a parent, I want lawmakers and organizations to know that having good data sets is important. That students want information that will help them “learn better”. That the data collected belongs to them. And by recognizing their ownership they will generate more useful data from which we will all benefit.

I am concerned that in our effort to protect some students some will be left behind. For example, if we limit data collection, if we allow some to opt out of data collection, how are we skewing the results of data analysis, and its usefulness. If we want equity in education, we need a comprehensive picture of the educational system: what works and what doesn’t. How can we have a diverse school that helps all children if we do not have the data on what their needs are? How can we ensure disadvantaged children receive free or reduced price lunch so they can have a productive day at school without collecting data on their parents’ income? How can policymakers enact policy that combats societal prejudice unless they have comprehensive data sets demonstrating discrimination? Furthermore, how can we help children with learning differences if we don’t know which therapies prove the most effective? All of this information is only available if we have widespread participation, just as vaccinations only prevent disease when we all get immunized.

I understand the concern that highly personal information may be accessed by unauthorized individuals which is why there must be safeguards against breaches of privacy. Strong privacy standards, confidentiality guidelines and adequate training of personnel are essential to improving the education infrastructure. We cannot leave our most vulnerable learners unprotected.

Privacy concerns about the collection of student data are real. But we cannot allow these concerns undermine our efforts to help our most at risk students. The more we know about our students the better we can provide them with opportunities to advance in school and in life.



Privacy policies and Security– can we get it right???


We talk about building trust so that we can work on protecting student data privacy, but it is difficult to protect student privacy only with policy. We need to also advocate for proper encryption of databases and privacy training. Only when we educate users (schools, districts, parents, students) on proper security practices can we be confident that kids’ information will be safe. Setting policy is important. It provides us with guidelines on what set of rules ought to be followed. But rules may be broken, actually, they are commonly broken. Data breaches are happening more and more often in educational institutions. Mostly, because of someone’s negligence or lack of understanding how the system works; which is why it’s so difficult for people to trust their children’s data is being properly secured. Without real consequences for those failures, all the good policies in the world will not protect student privacy. Parents and students put their information in the hands of their schools. Schools in turn put that information in the hands of the third parties they contract with. The responsibility for the data gets passed on. There has to be adequate security protocols in place.

EdTech companies need to step up and take the lead if they are to be the stewards of our children’s data. We cannot continue to put the burden of security and privacy policies on budget strapped schools. An easy first step would be if companies requested that educational apps in their stores encrypt student data. This is a good first step. Additionally, adopting standard language related to privacy and security makes understanding complex legal issues transparent.

But I also urge school districts to look at their community. Beyond privacy laws what does the school community expect when it comes to privacy? What agreement can the community come to when the issue is the collection, use and sharing of student data? And what is important for different communities when it comes to privacy? That is an important conversation that we need to have.

School districts need to understand best security practices – securing devices, strict password policies, and security audits. School staffs need training so they can understand how to identify those educational apps that provide adequate privacy protections. While there are no measures that can guarantee 100% security and protection of student privacy, awareness of the issues and a proactive approach will prove more effective by ensuring good policy is followed and acted upon. And therefore, I urge policymakers to help schools with the administration of security safeguards.

A FERPA rewrite is important, for we need to our laws and policy to keep up with technological change, but we also need to change our entire approach to security. We must focus on students and how we can use technology to create the learning environment that works best for them.



A FERPA Rewrite?



This year, student data privacy seems to be more popular than ever. Consider this, as of March 5th, there were 138 bills addressing student data privacy. Even more interesting is how student privacy has become such a big part of the conversation in state legislatures. The main message, seems to be, how can states keep student data safe and secure while still continuing to use it to support learning?

However, what is particularly interesting is the proposed rewrite to the Family Education Rights and Privacy Act (FERPA). This rewrite would expand parental rights, set guidelines for student data use by third parties and establish penalties for failure to follow these guidelines. Congressmen John Kline and Bobby Scott circulated a draft of the proposal amongst several organizations asking for comments. Now, I haven’t seen the draft but I hope that everyone reading this is focused on building an infrastructure which safeguards student data so we can all get the most out of the technological advances sure to come. I would love to see clear guidance for schools and other education institutions. Teachers, school board members and other personnel require training on data usage by third party vendors. It is important to get this right because as Amelia Vance, NASBE’s director of education data and technology so rightly said – When regulating student data privacy: Don’t throw the baby out with the bathwater.

I see a great need to acknowledge that school personnel, school board members and third party vendors will require training on adequate data usage and protection. We can pass new laws and update FERPA, but it will not make a difference unless the people charged with carrying out these mandates are adequately prepared. The burden increasingly falls on school administrators, and what are they to do when they have limited time and are in an already budget strapped school?

The legislation will also require educational institutions to enter into a written agreements with a third parties before any data sharing can occur. This is, I believe, one of the strongest points being made on the Bill. This requirement prohibits third parties from sharing information with others unless there is a clear written agreement to do so and that this agreement is compliant with federal law. If the Bill manages to establish what requirements the written agreements should have we could be looking at increased student data protection as it relates to third party usage. Further, if strong guidelines for security standards are outlined, there could be an increase in the safety of student data as clear security standards will need to be adhered to. Requiring strong security standards for third parties will create a greater security net for student data provided there are clear and steep penalties if third parties do not comply with these requirements.

I will certainly keep an eye on this draft as it moves through. I strongly urge anyone providing direct feedback to consider that as much as strong privacy policies are essential, the ability for students to use technology, own their data and be confident it is safe, private and secure is really what matters in this debate. Let’s continue to work on protecting student data privacy. We need to be smart about how to best protect student data, because the impact of any legislation passed will be felt for years to come. Many of these consequences are unforeseeable and we do not want to hamper the development of what could be valuable tools for helping our students learn.

Any suggestions to add to the FERPA rewrite?



What challenges are school boards facing when it comes to protecting student privacy?


Guess what?? I got to meet Kathleen Styles, the US Department of Education Chief Privacy Officer. Not only did I get to meet with her, we had the opportunity to talk student privacy and the challenges ahead. All this happened as part of a panel I participated on at the National School Boards Association (NSBA) conference in Nashville. With the increased use of student data systems and SLDS used for education decision making and reporting, this panel was particularly important for members of School Board Associations.



During the panel discussion, there were many questions about how to best protect student privacy without impeding the effective use of this information. How do we preserve the reliability of the data while ensuring student privacy? The unanimous consensus is that we need to balance the need for student data with protecting student privacy. This balance can foster trust between the stewards of the data (schools) and the owners of this data (students and parents). But how do we get there? How do we get to the point that we trust schools and school boards to make the right decisions when it comes to ensuring student privacy? My claim is that we need transparency to build trust. We cannot have privacy discussions in a vacuum or enact one-way policies and then expect parents, students and schools to work together and trust each other. Student data is a big deal. There is no other way to say it. It is student information, and yet students lack ownership in the decision making process. So we need to create concrete steps to help schools build transparency into their practices.  More importantly, there is a deep need for training and help in implementing best practices in schools so that they can not only adequately safeguard student data but build trust between all stakeholders.

This is a tall order. Members of School Boards need to gather information from various sources in order to decide what works best for their particular school district. We need to provide better guidance and information on how best to protect student privacy while implementing tight security practices. Schools require training and materials that will support the implementation of comprehensive privacy practices in schools. How can budget and time strapped schools dedicate any time to privacy? It is difficult when you have limited resources and schools are faced with an either/or decision where privacy likely always comes second. Schools are often forced to choose between fixing the desks, buying textbooks and investing in privacy. So I get it but that doesn’t mean we stop the conversation. It means we find smarter ways to work on this because the topic is so important. It is time for School Boards to provide guidance to principals and teachers and help them develop best day-to-day operation practice.

Having these panel discussions is not going to magically fix the issues we continue to struggle with when it comes to student privacy. However, making policies available to the broader audience, explaining in a clear and concise manner how data is (or isn’t) used helps shift peoples conversations and broadens everyone’s lens when moving forward. An important part of the panel discussion was how do we build that trust and enact best practices. Members of School Boards want to do the right thing but at the same time don’t want to be limited by state and federal regulations that could potentially impede the use of data.

I walked away from this panel thinking how we need to develop concrete steps to help school boards on how to create privacy frameworks that commit schools to greater transparency. Because once we have transparency and build trust our conversation can focus on establishing sound practices that will enable us to effectively use student data while protecting student privacy.

Of course, members of School Boards can always visit our own FERPA|Sherpa website or the newly developed PTAC from the US Department of Education as well as iKeepSafe’s website. All full of pragmatic, practical and objective resources for anyone looking to learn more about student data privacy. I for one consider myself incredibly lucky to have had the opportunity to be on this panel. Not only did I learn a tremendous amount on student data privacy, but I was able to meet great people like our own Ferpa|Sherpa, Alan Smpson from iKeepSafe, our panel facilitator Laurie Dechery from Lifetouch and, of course Kathleen Styles. These are conversations we need to have to establish a collaborative framework. These are the conversations that begin at conferences but continue to be debated.  I have my ideas on how many people will be attending the privacy discussions at this conference – and my guess is a lot. A lot of people will need privacy discussions to be at the forefront of future conferences.

IMG_9807 (1)




What are the Student Data Privacy Principles?


On March 10th, the Consortium for School Networking (COSN) and the Data Quality Campaign released 10 privacy principles for student data. So what exactly are these Principles and how are they different from the Student Data Privacy Pledge? The privacy principles are a guide for protecting student data privacy in schools but more importantly, they show that anyone signing on to these principles is serious about student privacy. The guidelines are a great way to support schools and members of the educational community.

Unlike the Student Data Privacy Pledge, these principles are not enforceable by law but I don’t think that lessens the importance of signing on. Anyone signing on to the principles is sending a message that it is ingrained in their culture to integrate these guides into their organization’s thinking. And that is key because it places student data privacy at the forefront. Also worth noting is that these are matching commitments from the “other” side of the table so to speak. These are commitments from the education community to match the Pledge commitments made by vendors which shows the coordination between diverse stakeholder groups, all focused on the same ideas and goals.

Students are the ones that stand to win by the use of technology. They also are the ones that can lose it all if we are not smart when making decisions on student privacy. If we negate students in our thinking, if we do not recognize that our decisions affect kids, we cannot develop effective policies that protect student information in an equitable manner. The Principles are one more piece of the puzzle to help build consensus on best practices.

My favorite Principles? Easy –“Student data should be used to further and support student learning and success” and “student data should be used to inform and not replace the professional judgment of educators.” And this is important because by recognizing that student data matters and that it can and should be used to help students we are moving our conversation into a more comprehensive view of privacy instead of just one of security concerns. It is important we provide educators and educational institutions, with the best training on privacy practices while encouraging them to help students further their learning.

I am encouraged that slowly but surely we are recognizing that this conversation is about students and their future. It is about us helping them get the best education we can provide for them. Because after all, it is about students empowering their education and using the data to make education something they own and not something that just happens to them.

Our conversation shouldn’t stop here. The Principles are a great framework to follow but they certainly are not a cure all. Our conversations on privacy and data need to continue so that we can provide students with the assurance that we will protect their data, we will use it ethically and effectively and will let them take ownership of it so they can use it to their advantage.

If you want to read the principles you can find them here.



Social Media Monitoring, Privacy and Students


“Pearson is spying on kids” was the statement dominating this week. But the reality is that Pearson, like most major corporations, is involved in social media monitoring. Companies do this monitoring so that they can improve their product, provide better service or promote their brand. One could say that we should expect for major corporations to monitor our online activity when we mention their brands on social media. However, in this particular case, Pearson is not just randomly collecting everything anyone says about the test, but in fact monitoring to identify and track anything that appears to be a violation of the test integrity. In this case, the student’s tweet describing a particular test question. Further, testing companies actually have an affirmative duty to do this monitoring imposed by contract or other methods in order to ensure that schools can rely on the validity of the test results.

But for me, what is most important is the fact that we have engaged in the debate whether this practice is or isn’t acceptable while completely ignoring how students feel about this. Have we stopped to think if students care or, dare we say, expect it even? You see, as adults we can express our outrage over a multinational corporation monitoring students but are we speaking for students or for ourselves? Is this our outrage or the students?

I talk with students all the time, from elementary school age kids through college and their responses are vastly different. College students know and expect for their social media activity to be monitored, watched, some even do all they can to be noticed. K-12 students think differently. They expect to be watched by their teachers, parents, peers etc. but certainly do not expect companies monitoring social media to see who mentioned a test. And here is where it gets interesting. I asked some 5th grade students how they would feel if they posted something online and it became public information. They said that everything they do is seen by their parents and their parents are always posting things about them anyway. They expect someone to be looking at what they do all the time. So have we conditioned kids to expect to be monitored and tracked? Have we unconsciously blurred the lines between private and public for kids so much that they expect to be watched all the time? We have created an atmosphere of mistrust because we don’t trust the education and technology sector. How do we teach students to trust the technology in their schools? As many noted on Twitter, there is outrage over Pearson monitoring discussions about a test but deafening silence about constant social media monitoring students of color. There are so many instances of social media used for profiling that it is difficult to understand why it’s ok to monitor a certain group of students but not another. We need to examine online profiling and what we are doing by wanting to protect some students.

But more importantly, we must listen to students so we understand what privacy means to them and what they expect we give them when it comes to privacy protections. Students will still talk about tests. It’s what kids do. They will just do it in true private venues, in person, whispering in the backyard so that adults leave them alone. What opportunities are we missing by not acknowledging students in this debate? The issue about social media monitoring is about much more than one company concerned about one tweet. The issue is how do we come to terms that social media monitoring is persistent even in the education sector, it’s about establishing what is ok to monitor and what is not.