There are many acronyms in education but some of the most talked about recently are FERPA, COPPA and PPRA. And what does all this mean? They are 3 of the main Federal laws that pertain to student data and privacy. As parents, we need to have an understanding of these laws and how they protect our children’s privacy, but it can be confusing, so in an effort to provide information to parents the Future of Privacy Forum, Connect Safely and the National PTA launched the Parent’s Guide to Student Data Privacy to help. This guide provides an overview of the law for students and parents for it’s crucial they understand their rights.
There are increasing number of documents dedicated to addressing student data privacy – the Student Data Privacy Pledge, endorsed by President Obama (shameless plug), the Student Data Principles and now a Parents’ Guide. What is interesting is that they all address different aspects of student data privacy. The Pledge is a voluntary commitment by Ed-Tech companies to safeguard student data. The Data Principles is the education community commitment (teachers, principals, state boards of education, etc.) to build transparency and trust. Both these commitments are important, but the laws that protect student’s privacy and rights can be downright confusing. So in comes the Parent’s Guide to Student Data Privacy which much needed answers to commonly held questions – who has student information, what is FERPA & COPPA, how are they different and what do they protect? When can parents “opt out” of their children’s information from shared?
What is interesting is that all these efforts are conducive to collaboration. They might not be a cure all, but they certainly start the conversation, so let’s discuss the challenges in protecting student data in this rapidly changing world. We must ask questions, ask for comprehensive protections, demand parents be included. Otherwise, their concerns will not be represented.
Regardless of how student data is maintained in schools, parent and student rights remain the same and we must not lose sight of that. We need to know what protections the laws provide as well as how other players in education are committed to protecting student data. I encourage all to refer to the Guide. It has a number of resources for parents wishing to dive deeper, but at a minimum, we now know where to start and can be advocates for our children.
When we’re talking about student data privacy we’re usually talking about things that can go wrong. We forget what a powerful tool data can be. Not only does it help teachers, parents and students identify strengths and weaknesses, but it can serve as a powerful instrument for creating equity, so long as the information is managed properly with the appropriate safeguards in place.
As I talk to people involved in student data privacy, the one question that keeps coming up is “What do you want us to know and focus on as we work on student privacy?” Student data privacy is a personal issue because it involves children. So it is important that we focus on what information we need to protect for students and how that information will be used in the future. Even though the question is seemingly simple, the answers are complex. As a parent, I want lawmakers and organizations to know that having good data sets is important. That students want information that will help them “learn better”. That the data collected belongs to them. And by recognizing their ownership they will generate more useful data from which we will all benefit.
I am concerned that in our effort to protect some students some will be left behind. For example, if we limit data collection, if we allow some to opt out of data collection, how are we skewing the results of data analysis, and its usefulness. If we want equity in education, we need a comprehensive picture of the educational system: what works and what doesn’t. How can we have a diverse school that helps all children if we do not have the data on what their needs are? How can we ensure disadvantaged children receive free or reduced price lunch so they can have a productive day at school without collecting data on their parents’ income? How can policymakers enact policy that combats societal prejudice unless they have comprehensive data sets demonstrating discrimination? Furthermore, how can we help children with learning differences if we don’t know which therapies prove the most effective? All of this information is only available if we have widespread participation, just as vaccinations only prevent disease when we all get immunized.
I understand the concern that highly personal information may be accessed by unauthorized individuals which is why there must be safeguards against breaches of privacy. Strong privacy standards, confidentiality guidelines and adequate training of personnel are essential to improving the education infrastructure. We cannot leave our most vulnerable learners unprotected.
Privacy concerns about the collection of student data are real. But we cannot allow these concerns undermine our efforts to help our most at risk students. The more we know about our students the better we can provide them with opportunities to advance in school and in life.
We talk about building trust so that we can work on protecting student data privacy, but it is difficult to protect student privacy only with policy. We need to also advocate for proper encryption of databases and privacy training. Only when we educate users (schools, districts, parents, students) on proper security practices can we be confident that kids’ information will be safe. Setting policy is important. It provides us with guidelines on what set of rules ought to be followed. But rules may be broken, actually, they are commonly broken. Data breaches are happening more and more often in educational institutions. Mostly, because of someone’s negligence or lack of understanding how the system works; which is why it’s so difficult for people to trust their children’s data is being properly secured. Without real consequences for those failures, all the good policies in the world will not protect student privacy. Parents and students put their information in the hands of their schools. Schools in turn put that information in the hands of the third parties they contract with. The responsibility for the data gets passed on. There has to be adequate security protocols in place.
EdTech companies need to step up and take the lead if they are to be the stewards of our children’s data. We cannot continue to put the burden of security and privacy policies on budget strapped schools. An easy first step would be if companies requested that educational apps in their stores encrypt student data. This is a good first step. Additionally, adopting standard language related to privacy and security makes understanding complex legal issues transparent.
But I also urge school districts to look at their community. Beyond privacy laws what does the school community expect when it comes to privacy? What agreement can the community come to when the issue is the collection, use and sharing of student data? And what is important for different communities when it comes to privacy? That is an important conversation that we need to have.
School districts need to understand best security practices – securing devices, strict password policies, and security audits. School staffs need training so they can understand how to identify those educational apps that provide adequate privacy protections. While there are no measures that can guarantee 100% security and protection of student privacy, awareness of the issues and a proactive approach will prove more effective by ensuring good policy is followed and acted upon. And therefore, I urge policymakers to help schools with the administration of security safeguards.
A FERPA rewrite is important, for we need to our laws and policy to keep up with technological change, but we also need to change our entire approach to security. We must focus on students and how we can use technology to create the learning environment that works best for them.
This year, student data privacy seems to be more popular than ever. Consider this, as of March 5th, there were 138 bills addressing student data privacy. Even more interesting is how student privacy has become such a big part of the conversation in state legislatures. The main message, seems to be, how can states keep student data safe and secure while still continuing to use it to support learning?
However, what is particularly interesting is the proposed rewrite to the Family Education Rights and Privacy Act (FERPA). This rewrite would expand parental rights, set guidelines for student data use by third parties and establish penalties for failure to follow these guidelines. Congressmen John Kline and Bobby Scott circulated a draft of the proposal amongst several organizations asking for comments. Now, I haven’t seen the draft but I hope that everyone reading this is focused on building an infrastructure which safeguards student data so we can all get the most out of the technological advances sure to come. I would love to see clear guidance for schools and other education institutions. Teachers, school board members and other personnel require training on data usage by third party vendors. It is important to get this right because as Amelia Vance, NASBE’s director of education data and technology so rightly said – When regulating student data privacy: Don’t throw the baby out with the bathwater.
I see a great need to acknowledge that school personnel, school board members and third party vendors will require training on adequate data usage and protection. We can pass new laws and update FERPA, but it will not make a difference unless the people charged with carrying out these mandates are adequately prepared. The burden increasingly falls on school administrators, and what are they to do when they have limited time and are in an already budget strapped school?
The legislation will also require educational institutions to enter into a written agreements with a third parties before any data sharing can occur. This is, I believe, one of the strongest points being made on the Bill. This requirement prohibits third parties from sharing information with others unless there is a clear written agreement to do so and that this agreement is compliant with federal law. If the Bill manages to establish what requirements the written agreements should have we could be looking at increased student data protection as it relates to third party usage. Further, if strong guidelines for security standards are outlined, there could be an increase in the safety of student data as clear security standards will need to be adhered to. Requiring strong security standards for third parties will create a greater security net for student data provided there are clear and steep penalties if third parties do not comply with these requirements.
I will certainly keep an eye on this draft as it moves through. I strongly urge anyone providing direct feedback to consider that as much as strong privacy policies are essential, the ability for students to use technology, own their data and be confident it is safe, private and secure is really what matters in this debate. Let’s continue to work on protecting student data privacy. We need to be smart about how to best protect student data, because the impact of any legislation passed will be felt for years to come. Many of these consequences are unforeseeable and we do not want to hamper the development of what could be valuable tools for helping our students learn.
Any suggestions to add to the FERPA rewrite?
Guess what?? I got to meet Kathleen Styles, the US Department of Education Chief Privacy Officer. Not only did I get to meet with her, we had the opportunity to talk student privacy and the challenges ahead. All this happened as part of a panel I participated on at the National School Boards Association (NSBA) conference in Nashville. With the increased use of student data systems and SLDS used for education decision making and reporting, this panel was particularly important for members of School Board Associations.
During the panel discussion, there were many questions about how to best protect student privacy without impeding the effective use of this information. How do we preserve the reliability of the data while ensuring student privacy? The unanimous consensus is that we need to balance the need for student data with protecting student privacy. This balance can foster trust between the stewards of the data (schools) and the owners of this data (students and parents). But how do we get there? How do we get to the point that we trust schools and school boards to make the right decisions when it comes to ensuring student privacy? My claim is that we need transparency to build trust. We cannot have privacy discussions in a vacuum or enact one-way policies and then expect parents, students and schools to work together and trust each other. Student data is a big deal. There is no other way to say it. It is student information, and yet students lack ownership in the decision making process. So we need to create concrete steps to help schools build transparency into their practices. More importantly, there is a deep need for training and help in implementing best practices in schools so that they can not only adequately safeguard student data but build trust between all stakeholders.
This is a tall order. Members of School Boards need to gather information from various sources in order to decide what works best for their particular school district. We need to provide better guidance and information on how best to protect student privacy while implementing tight security practices. Schools require training and materials that will support the implementation of comprehensive privacy practices in schools. How can budget and time strapped schools dedicate any time to privacy? It is difficult when you have limited resources and schools are faced with an either/or decision where privacy likely always comes second. Schools are often forced to choose between fixing the desks, buying textbooks and investing in privacy. So I get it but that doesn’t mean we stop the conversation. It means we find smarter ways to work on this because the topic is so important. It is time for School Boards to provide guidance to principals and teachers and help them develop best day-to-day operation practice.
Having these panel discussions is not going to magically fix the issues we continue to struggle with when it comes to student privacy. However, making policies available to the broader audience, explaining in a clear and concise manner how data is (or isn’t) used helps shift peoples conversations and broadens everyone’s lens when moving forward. An important part of the panel discussion was how do we build that trust and enact best practices. Members of School Boards want to do the right thing but at the same time don’t want to be limited by state and federal regulations that could potentially impede the use of data.
I walked away from this panel thinking how we need to develop concrete steps to help school boards on how to create privacy frameworks that commit schools to greater transparency. Because once we have transparency and build trust our conversation can focus on establishing sound practices that will enable us to effectively use student data while protecting student privacy.
Of course, members of School Boards can always visit our own FERPA|Sherpa website or the newly developed PTAC from the US Department of Education as well as iKeepSafe’s website. All full of pragmatic, practical and objective resources for anyone looking to learn more about student data privacy. I for one consider myself incredibly lucky to have had the opportunity to be on this panel. Not only did I learn a tremendous amount on student data privacy, but I was able to meet great people like our own Ferpa|Sherpa, Alan Smpson from iKeepSafe, our panel facilitator Laurie Dechery from Lifetouch and, of course Kathleen Styles. These are conversations we need to have to establish a collaborative framework. These are the conversations that begin at conferences but continue to be debated. I have my ideas on how many people will be attending the privacy discussions at this conference – and my guess is a lot. A lot of people will need privacy discussions to be at the forefront of future conferences.