An invitation for comments on student data privacy

The National Association of Secondary School Principals has an initiative to provide policy recommendations to ensure the protection of student data privacy and appropriate use of student data to improve teaching and learning in the classroom.

This initiative is of particular interest in that the NASSP is opening their statement to public comments. We often ask for our voices to be heard in the student data privacy debate and this is an opportunity to submit comments and ideas.

Technology is making it easier for schools and States to collect and analyze data to help them make informed decisions on issues that need to be addressed and what is working in schools. Even though this provides valuable information, we must ensure that the guidelines established adequately protect student privacy. The preliminary statement has interest recommendations. In particular the section “Recommendations for School Leaders” as it focuses on communication and transparency. It asks that district policies related to student data are communicated to teachers and parents and that teachers are educated about the use of online educational services. These recommendations address some of the main concerns parents and school districts have.

The full text is below or you can read it here

Please consider making comments to the initiative. Parent feedback can provide deep insights into the student data privacy debate. This is an opportunity to offer our perspective. The comments section is open through January 7th, 2015.

   Student Data Privacy

The NASSP Board of Directors stated on November 7, 2014 its intention to adopt the following position statement, following a 60-day comment period. NASSP members and others are invited to submit comments on this statement by January 7, 2015 to[email protected]. The Board will include public comments as it deliberates final adoption of the statement at its February 2015 meeting.



To provide policy recommendations to ensure the protection of student privacy and appropriate use of student data to improve teaching and learning in the classroom.


Data-driven decision-making has become a tenet of high-performing schools and is essential to transforming teaching and learning in the classroom. The Alliance for Excellent Education says that the “effective use of data and learning analytics are both critical components of a digital learning strategy to personalize learning for many more students, especially to increase student retention and achievement in the highest-need schools (page 2).” Narrowing achievement gaps and assisting all students to be college and career ready upon high school graduation have economic implications as well. In a report examining the potential of the use of data in education, the McKinsey Global Institute estimates “the potential value from improved instruction to be $310 billion to $370 billion per year worldwide, largely through increased lifetime earnings (page 22).”

Technology has made it easier for principals and teachers to collect and analyze data at the school level, and districts and states are now creating longitudinal database systems to help them make structural changes in education that will have a greater impact on more students. For this reason, educators at all levels are authorizing third-party vendors to have access to student data. These vendors offer services that purport to assist educators in communicating with parents—improving the quality of education programs, providing supports and services for students, and providing secure data storage. In fact, every electronic device and application with a connection to the Internet could potentially be used to collect or access student data.

While the collection and analysis of student data is essential to the teaching and learning process, this must be done within parameters that protect the privacy of students and ensure that their data is used only for legitimate educational purposes. The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and generally prohibits schools from disclosing personally identifiable information in students’ education records without consent. There are exceptions to the consent requirement, including one that allows the disclosure of such information to “school officials” for educational purposes. This particular provision was expanded in 2008 when the US Department of Education approved new regulations clarifying that third-party vendors (such as those who help manage school databases or provide digital curriculum) can be included within the school official exception. While third parties must be under the direct control of the school in terms of how they use and maintain the records and only use the records for the purposes for which they were shared, there is some concern that there are still gaps in the protection of student data. Overall, while most policymakers and educators understand the value of data collection in improving educational quality, there is some concern that FERPA itself, as well as the accompanying regulations, have become outdated in the new digital age.

In 2014, a congressional hearing was held to address student data privacy issues and a Senate bill was introduced to update FERPA and clarify that third parties are forbidden from using student information for marketing and advertising purposes. Fourteen states also enacted laws to strengthen student privacy protections, and the National Conference of State Legislatures reports that more than 100 student privacy bills were introduced in 36 states. Each principals’ full understanding of and familiarity with federal, state, and district policies on data collection and student privacy requirements are essential as this issue further develops.

Guiding Principles

NASSP believes that data has the power to transform teaching and learning by helping educators identify and provide supports to all students, assisting teachers and school leaders in improving their instructional practices, and informing schoolwide improvement activities.

NASSP believes that student data should only be used for the purpose of informing education policy, practice, and research and to deliver educational services to students.

NASSP believes that technology-enhanced data collection and analysis can assist schools in the planning and delivery of a student-centered, personalized, and individualized learning experience for each student—a fundamental tenet of theBreaking Ranks framework for school improvement.


Recommendations for Federal Policymakers

  • Develop policies on the use of student data that balance privacy and property protection with the need to improve teaching and learning
  • Require strong encryption standards for any federal agency or vendor that is collecting and/or storing sensitive student data
  • Provide guidance to states regarding the collection, storage, security protections, and destruction of student data
  • Provide funding to states and districts to help them address privacy issues related to student data
  • Ensure that personal information and online learning activities are not used to target advertising to students or their families
  • Limit nonconsensual access to personally identifiable student data to school, district, or state educational agency employees.

Recommendations for State Policymakers

  • Establish a statewide data security plan to address administrative, physical, and technical safeguards
  • Develop data breach notification policies for districts and schools
  • Identify a state-level official who is responsible for privacy, data security, and compliance with all federal and state privacy laws and regulations
  • Develop policies on data collection, storage, and access to ensure that student data collected through statewide longitudinal data systems is protected from inappropriate sharing or use
  • Provide guidance to districts and schools regarding the collection, storage, security protections, and destruction of student data.

Recommendations for District Policymakers

  • Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach
  • Ensure that data security practices include proper data deletion and disposal, including purging of electronic data, shredding physical documents, and destroying the presence of all data on old electronic equipment where data has been stored
  • Identify a district privacy officer who is responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data
  • Provide training for all district staff to ensure they understand basic legal requirements, their responsibilities, and specific district policies concerning student data
  • Ensure that principals receive training on policies and procedures that support prevention of—and specify steps to be taken in the event of—a data breach. This should include procedures to notify authorities, parents, and other community members
  • Educate district staff about online educational services (paid and free) and how to determine whether they comply with FERPA and state and district regulations
  • Coordinate an annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, or procure and contract with service providers
  • Ensure that all third-party vendors that collect or have access to student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information, and prohibit redisclosure of personally identifiable information without parental consent
  • Establish a policy whereby all data created by students, teachers, and other school staff is an “education record” in order to maintain control of how outside providers may access the data
  • Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding
  • Prior to using online educational services, ensure that the contract or “terms of service” contain all necessary legal provisions governing access, use, protection, and destruction of student data
  • Ensure that agreements with outside providers include provisions allowing direct and indirect parental access to student data
  • Ensure greater transparency by posting on district and school websites all policies governing the outsourcing of school functions and contracts with outside providers
  • Make available a list of online educational services or apps that are used within the district.

Recommendations for School Leaders

  • Familiarize yourself with FERPA, state, and district regulations concerning student data privacy
  • Consult with your school district attorney to ensure that any technologies and third-party vendors used by the school comply with FERPA and district requirements
  • Communicate district policies related to student data collection and usage to your teachers and parents
  • Ensure that your teachers have been educated about the use of online educational services and encourage them to use ones approved by the district
  • Clearly communicate third-party vendors’ privacy, security, and breach and indemnification policies to parents about personally identifiable information that is shared with those vendors.


What is the Cloud?

A friend of mine said in a conversation “the cloud is a computer in another room.” Another friend looked at me when I asked him what the cloud was and he pointed to a room full of servers. So what does the cloud really look like? For the most part, it looks like this.


Today we do many different types of work in the cloud. If you have checked your email, you have used the cloud. When using the cloud, your computer or device connects with different servers in remote locations. Some of these servers are specialized for storage, while others are running applications. The cloud can be very useful when checking email or collaborating documents online with services like Google Docs.

So why is the concept of the cloud so controversial when it comes to student data and education? I believe the debate should not strictly be about the security and privacy of student data in the cloud, but whether that data is safer in the cloud than on a local server managed by a budget strapped school district. As more schools move into a digital world with managed databases providing real time student performance, schools need the ability to manage all this information. In order to do that, cloud services that remotely host this information provide an efficient, affordable and arguably safer environment for a school to operate. If each school hosted their own server they would need IT support staff on site to manage and secure their databases. Most schools have neither the budget nor enough people to maintain these systems. Often, they are reliant on parent volunteers.

And while many arguments support using cloud service providers, we must also look at the shortfalls in these systems. Recently, the Center on Law and Information Policy at the Fordham University School of Law conducted a research study on the privacy of student data in the cloud. One of the most interesting findings, for me, was that about 95% of school districts already use cloud services for managing school operations. But that most schools had poorly executed contractual agreements. School districts did not put in place adequate privacy protection policies for student records and access controls for different individuals in the schools were not clearly defined. Further, the study found that some of the contracts did not comply with FERPA’s requirement that data be deleted after it is no longer needed for the purposes it was provided. Should we be concerned? I think so. Schools and parents should be assured that student data is adequately protected by strong privacy policies and security controls. But these concerns are more with how the contracts are structured than with how secure the data is in the cloud.

Students have a right of ownership of their data and they should be informed of how their data is collected, managed and shared amongst different service providers. Schools need to understand what security controls are in place to protect their data. The Department of Education has provided guidelines on how FERPA applies to student data stored in the cloud and schools must ensure that their cloud service provider is following these guidelines in order to provide reliable privacy protections for students.

Considering the vast amount of student data stored in the cloud and in different educational apps, it is the responsibility of schools and cloud service providers to work hand in hand with students’ privacy rights in mind. And only with transparent security and privacy practices will schools and cloud service providers be able to demonstrate to students and parents they can trust their data is safe.


What do kids think of privacy and online safety?

What do you think a class of 5th graders would answer if you asked them if they should be allowed to have Facebook accounts? Do you think most of them would want to be on social media? Think again, most don’t believe they should.

Surprised? So was I. Recently, a class of 5th graders wrote persuasive essays on whether kids as young as 10 years old should have Facebook accounts. I was fortunate enough to be invited to their class to talk with them about their thoughts on online safety and privacy. Receiving student feedback is challenging and they can be brutally honest. But if we make a conscious effort to listen to students and their ideas and concerns we can gain great insight into what our talks about student privacy should be about. The biggest takeaway from the visit for me was that students care about their information and being safe online. They want adults to know that at the end of the day the focus should be on students and how we can protect their information. Whether it is with appropriate safeguards for online safety or protecting their privacy in schools with the educational software they use. Students want teachers and prospective schools to know about them as learners but they want to have control of the information they think is important for teachers (and schools) to know about them.

Brenda Leong, Fellow at the Future of Privacy Forum, and I sat down to talk about my class visit. Having a conversation with students highlighted the need to remember that our debates on student data privacy are about students and how it affects them.  It certainly brought the conversation back into focus.

You can watch our conversation here: