The Policymaker's Guide to
Student Data Privacy
April 2019
Tyler Park, Sara Collins, and Amelia Vance
Future of Privacy Forum
Shared Under Creative Commons License
Introduction
Schools have always collected a wide range of data—from enrollment information, to tracking student performance throughout the year, to health and disciplinary records—to allow teachers and school leaders to best serve every student. As all levels of education institutions take advantage of technology, such as vast libraries of resources, learning management systems, and tools that allow students to collaborate with peers around the globe, they are also using personal data associated with these kinds of connected learning. While increased data use has the potential to transform education for the better, empowering students and teachers to enhance learning, it can also put sensitive student information at risk. A loss of autonomy, a stifling of creativity due to feeling surveilled, or even the public revelation of highly sensitive information like financial data or disability status are just some potential consequences of technology misuse, poor data security policies, or insufficient privacy controls.
Effective policies enacted at the local, state, and federal levels can curtail the risks accompanying student data collection and ensure that data is used ethically to support learning. Since 2014, state policymakers have built new legal frameworks, passing almost 120 laws to protect student privacy. As data breaches and privacy issues continue to capture public attention, it’s up to policymakers to develop thoughtful approaches to student data privacy: legislation, rules, policies, and technical safeguards that protect student data and can adapt to a quickly evolving technological environment.
Drawing on the experience of seasoned student privacy policy experts, this document is meant to help policymakers craft effective student privacy protections.
How Is Student Data Used?
Parents, educators, and policymakers all use student data—academic information, assessments, demographics, teacher reporting, and data created by students themselves such as homework or participation in activities—for varying purposes. For example, parents might use student data to support academic growth at home. Educators might use it to inform effective instruction and communicate with parents. Policymakers often rely on aggregate data to allocate resources or craft laws.
These uses, in addition to many cutting-edge technologies, rely on student data to support students and develop effective, data-driven approaches to education. However, particularly in the context of education, questions regarding who collects and has access to student data remain constant, especially in light of the recent increase in data breaches across nearly all sectors of business and government. A lack of transparency about both the scope and type of student data use can create distrust among stakeholder groups and can cause misinformation to drive the student privacy conversation.
Without appropriate guardrails in place, individual student data can be used for non-educational purposes, such as commercial advertising, immigration matters, and law enforcement. Stakeholders have also raised concerns about edtech vendors that collect, use, retain, and share student data for these non-educational purposes. In response, many states have passed laws prohibiting the use of student data for these purposes, such as building student profiles for advertising.
To learn more about different uses of student data, look at the Data Quality Campaign’s video and infographic about student data use, which are listed in the resources section of this guide.
Which Federal Laws Already Address Student and Child Privacy?
The two main federal laws that focus on student records and children’s data are The Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act.
Enacted in 1974, the Family Educational Rights and Privacy Act (FERPA) guarantees parents access to their children’s education records and restricts the parties to whom schools can disclose students’ education records without consent. Under FERPA, “education records” include records maintained by an educational agency or institution (or a party acting on their behalf) that contain information directly related to an individual student.
Because FERPA’s requirements are mandatory for schools that receive funding from the U.S. Department of Education, the law applies in most K–12 schools and in many public and private post-secondary institutions. Regulators enforcing FERPA have the authority to enter into mediation with schools to resolve violations, prohibit schools from working with certain third parties, and withhold all federal funds from education institutions that violate the law. Today, FERPA remains the main federal law governing student privacy in schools. However, while technology has shifted greatly, the statute has not been routinely amended by Congress.
The Children’s Online Privacy Protection Act (COPPA) governs the information that companies operating websites, games, and mobile applications can collect from children under the age of 13. Applicable to all online products directed toward consumers under 13 and to situations in which companies have “actual knowledge” that a specific user is 12 or younger, COPPA requires companies to have a clear privacy policy, provide direct notice of data collection to parents, obtain verifiable parental consent for collection of any personal information from a child, and allow parents to request deletion of their children’s data.
Educators and other school officials such as district administrators are authorized to provide consent on behalf of parents for the use of products in the context of educational programs. In these instances, a company can only collect personal information from students for a specified educational purpose, not for commercial purposes.
COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, which have the power to investigate complaints, require violators to change their practices, levy fines, and enter into settlements.
Which Federal Laws Already Address Student and Child Privacy?
The two main federal laws that focus on student records and children’s data are The Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act.
Enacted in 1974, the Family Educational Rights and Privacy Act (FERPA) guarantees parents access to their children’s education records and restricts the parties to whom schools can disclose students’ education records without consent. Under FERPA, “education records” include records maintained by an educational agency or institution (or a party acting on their behalf) that contain information directly related to an individual student.
Because FERPA’s requirements are mandatory for schools that receive funding from the U.S. Department of Education, the law applies in most K–12 schools and in many public and private post-secondary institutions. Regulators enforcing FERPA have the authority to enter into mediation with schools to resolve violations, prohibit schools from working with certain third parties, and withhold all federal funds from education institutions that violate the law. Today, FERPA remains the main federal law governing student privacy in schools. However, while technology has shifted greatly, the statute has not been routinely amended by Congress.
The Children’s Online Privacy Protection Act (COPPA) governs the information that companies operating websites, games, and mobile applications can collect from children under the age of 13. Applicable to all online products directed toward consumers under 13 and to situations in which companies have “actual knowledge” that a specific user is 12 or younger, COPPA requires companies to have a clear privacy policy, provide direct notice of data collection to parents, obtain verifiable parental consent for collection of any personal information from a child, and allow parents to request deletion of their children’s data.
Educators and other school officials such as district administrators are authorized to provide consent on behalf of parents for the use of products in the context of educational programs. In these instances, a company can only collect personal information from students for a specified educational purpose, not for commercial purposes.
COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, which have the power to investigate complaints, require violators to change their practices, levy fines, and enter into settlements.
Do General Privacy Laws Address Student Data?
Some state-level general privacy laws are written broadly enough to apply in the school context. It is important to be aware of the possible impact of these general privacy laws, as they may cover schools or create unintended consequences regarding education data.
For example, the California Electronic Communications Privacy Act (CalECPA) prohibits state governmental entities from searching Californians’ phones without consent, a warrant, or during an emergency. This broad prohibition was intended to restrict law enforcement access to citizens’ electronic communications. However, the statutory language unintentionally included school officials such as administrators, effectively changing decades of practice that allowed administrators to search students, under a lower standard imposed by the Supreme Court.
While heightened requirements for searching students’ phones can protect privacy, they have also unintentionally harmed students. In one instance after CalECPA passed, students circulated explicit pictures of a girl around their school. Yet, school administrators were unable to search the students’ phones because they did not have the evidence needed to obtain a warrant. The girl, humiliated, ended up moving to another school district because the law kept officials from stopping the sharing of the images.
In addition to prompting more narrow privacy laws, increased public concern about privacy issues has led to the 2018 passage of the California Consumer Privacy Act (CCPA), a general privacy law that restricts companies’ use of Californians’ data. The implications of CCPA for education in California are not clear, but CCPA and California’s education-specific law, the Student Online Personal Information Protection Act (SOPIPA), differ in some areas, especially regarding edtech vendors. For example, SOPIPA requires education vendors to provide schools with access and deletion rights for student information, but CCPA provides those rights to all consumers whose information is held by a business, which may include edtech vendors. This conflict could allow a student who is still in school to contact an edtech vendor and delete their information, including grades and homework, an outcome that CCPA’s authors likely did not intend or anticipate.
As state legislatures implement general consumer privacy laws, policymakers should be mindful of the interaction between new proposals and existing student privacy rules.
What Are Common State- Level Approaches to Regulating Student Data?
States have approached the regulation of student data use in three ways. The first is by regulating schools (LEAs) and state-level education agencies (SEAs). For example, Oklahoma’s 2013 Student Data Accessibility, Transparency, and Accountability Act (Student DATA Act) addressed permissible state-level collection, security, access, and uses of student data. Bills following the Oklahoma model have limited data collection and use and defined how holders of student data can collect, safeguard, use, and grant access to data.
The second approach has been to regulate companies that collect and use student data. For instance, California’s Student Online Personal Information Protection Act (SOPIPA) prevents online service providers from using student data for commercial purposes, while allowing specific beneficial uses such as personalized learning.
California supplemented SOPIPA by enacting AB 1584, a law that explicitly allows districts and schools to contract with third parties in order to manage, store, access, and use information in students’ education records. An enforcement provision, AB 375, was also added to give the California Attorney General additional authority to fine companies that violate SOPIPA and AB 1584. This law has become a model for the regulation of edtech vendors’ use of student data. More than 20 states have since adopted similar laws.
The third approach combines the first two models. For instance, to regulate its state longitudinal data system, Georgia chose to follow Oklahoma’s lead in addressing three core issues regarding state education entities: which data is collected, how student data can be used securely and ethically, and who can access student data. Combined with SOPIPA-like regulation of third parties, this approach has allowed innovative uses of student data while establishing meaningful privacy protections for students. Similarly, Utah has taken a modified hybrid approach by regulating districts, the state education agency, and companies. Utah took the additional step of creating and funding a Chief Privacy Officer and three additional privacy staff not only to carry out the law but also to provide training for teachers and administrators and to create resources that help stakeholders ensure compliance.
Since 2015, state legislation has tended to regulate data use rather than collection, and to focus laws on specific privacy topics such as data deletion, data misuse, biometric data, and breach notification. For a closer look at state law trends, see the Data Quality Campaign’s Education Data Legislation Review and FPF's list of state laws. Both are listed in the resources section.
What Are Potential Issues to Consider When Drafting Student Privacy Legislation?
Policymakers at both the state and federal levels have taken up numerous specific issues in student privacy laws. Even well-intentioned actions can result (and have resulted) in unintended consequences. Policymakers should be aware of past laws that have been reconsidered and revised in response to stakeholder feedback.
School Safety and Surveillance
In light of many recent, horrific school shootings, officials have considered measures such as surveilling students online in an attempt to keep students safe. While student safety programs are crucial, policies should be carefully considered to ensure they meaningfully increase school safety while minimally impacting students’ privacy.
Surveillance can impact students in many ways, such as the feeling of constantly being watched, which can lead to a loss of student autonomy and creativity. Evidence also shows that school surveillance disproportionately affects disadvantaged and minority students. When setting policy, policymakers must employ evidence-based practices to carefully balance actions that meaningfully increase safety with those that infringe upon student privacy.
In the wake of the Marjory Stoneman Douglas High School shooting, Florida passed a law, FL 7026, that created a database of information from social media, law enforcement, and social services agencies. Private groups have expressed concerns that this large-scale data sharing could be used to inappropriately track and discipline students for non-safety reasons.
Vendors and Third-Party Student Data Use
States are increasingly choosing to address third parties’ collection and use of student data, specifically companies that provide services in schools. While SOPIPA-like laws are the most common, some states have imposed indirect requirements on companies by requiring schools or districts to protect the student data they share with vendors. Third parties provide various important services in schools that involve student data and do not typically raise privacy concerns, such as school photography or transcript delivery. Policies that are not carefully crafted may inadvertently impact these and similar services. For example, a prohibition of the collection of “biometric information” could include class and yearbook photos, and a ban on the sale of all student data could include student data in transcripts sent to colleges. Anticipating these types of unintended consequences is vital for creating effective privacy legislation.
Student data is useful for researchers, for instance to study the efficacy of technology products, to determine whether a new nutrition initiative is effective, or to understand why test scores vary across a district. Research and data are necessary to create evidence- based education policy and to monitor whether policy decisions are effective. FERPA permits the disclosure of student education records to researchers without the need to obtain consent. Leaders who determine which data will be shared with researchers under applicable laws should determine the school or state’s research priorities, communicate those to the broader community, and have a standardized method of interacting with outside researchers.
Transparency
Transparency requirements, including things such as mandatory communication between administrators and parents, can help to address the concerns of parents, students, and others about how data is used. Transparency measures are an important part of building trust among different stakeholders in education. Moreover, school records are often subject to Freedom of Information Act and open government requirements, so clear processes that promote transparency can help schools comply with requests for information.
That said, poorly crafted transparency requirements can be unwieldy and ineffective. A Connecticut law, HB 5469, required local and regional boards of education to electronically notify parents every time they signed a new contract with a vendor. Because districts generally contract with dozens or hundreds of vendors for various services, LEAs were overwhelmed by the number of notices they were required to provide, and parents were flooded with so much information that the intended value of the transparency measure was lost. Once districts shared how the law was working on the ground, the state legislature acted quickly to amend the law, allowing districts to provide a comprehensive notice annually instead of after every contract.
Parental Rights
In many instances, policymakers have chosen to establish rights for parents regarding student data. While this can ensure transparency and create meaningful student protections, it’s not always a perfect solution. In several cases, parental involvement in school processes has caused unintended consequences.
For example, in 2014, Louisiana required opt-in parental consent for student data use, effectively precluding some beneficial uses of student data. And because the law carried criminal penalties, teachers and administrators did not want to risk jail time, so they shied away from using student information in any way that could violate the law. As a result, printing news stories about local football teams, yearbook publication, and recommendations for state-funded college were disrupted.
New Hampshire’s 2015 state student privacy law also caused unintended consequences. The law required teachers to get written approval from the school board, parents, and a supervising teacher before they could record video in classes. While the law was intended to protect students from classroom surveillance, it also prevented students with learning disabilities from using video technology to assist them in the classroom. Additionally, the law prevented student teachers in New Hampshire from recording themselves in action—a requirement for certification. The New Hampshire legislature has since carved out an exception allowing classroom recordings for students with disabilities, but student teachers still require approval from the school board, all parents, and the supervisory teacher before they can record themselves.
Data Governance and Security
To create policies on governance and security— processes and systems governing data quality, collection, management, and protection—policymakers should include defined, formal roles for school officials and limits on data access, disclosure, and use. Beyond establishing physical security measures such as limiting who has access to the places where student information is stored, states have also worked to implement software security standards to keep student data safe from potential breaches. For example, West Virginia enacted its own version of Oklahoma’s Student DATA Act, which includes formal policies defining roles and responsibilities; data access, disclosure, and use; data management and monitoring; and how data is collected, accessed, and used. The law created procedures for compliance, training for all stakeholders, strategies to respond to incidents, and public forums to increase transparency.
Training
For student privacy legislation to be effective, administrators must have the tools and training they need to implement privacy protections. This training often includes basic internet and computer safety, how to safely and effectively use data, which apps and programs are safe to use, and the dangers of unintentional disclosures. Even with strong student privacy laws, schools lacking effective training may struggle to comply with legal requirements. Unfortunately, training mandates are often unfunded, leaving districts with difficult choices about how to provide privacy training without reducing funding in other areas. Utah is currently the only state that requires an annual course for educator relicensure, although many states and districts, large and small, have found ways to build a culture of privacy.
Which Stakeholders Should Policymakers Consult When Considering Measures to Protect Student Data?
For policymakers, engaging with key stakeholder groups—students and parents; educators; district-, state-, and federal-level education officials; edtech vendors; and other third-party service providers—can be crucial for effectively protecting student privacy. Not only will these groups inform policy positions, they can also be useful for learning about which student data privacy practices are effective on the ground.
Students and their families are central to all student data privacy legislation. In order for students to excel in our nation’s schools, students and parents must understand student data practices and trust that data will not be improperly disclosed. A best practice is for policymakers to engage with parents and students to create legislation that tackles student data privacy and ensures a safe, trusting learning environment.
Educators commonly use student data in the classroom to help their students learn. Recently, some states have implemented 1-to-1 device programs (providing a device to every student), and technological integration is increasingly common in today’s digital world. Engaging with educators to understand how technology is used in the classroom can be an important step in crafting policies, especially to avoid unintended consequences. Further, educators can help to clarify gaps in training, budget, or policy at the school level that policymakers can address.
District, state, and federal education officials are generally responsible for ensuring that student data is properly collected, shared, and protected. These officials often have limited capacity to create and implement complex student data privacy programs, which may lead to ineffective or burdensome data governance programs. Education officials are well situated to identify systemic gaps where legislation is needed, and often have particularly valuable insights about how to create effective protections for student data.
Lastly, as providers of most of the technology used by students in modern classrooms, edtech vendors and service providers, from large companies to small startups, are also a vital part of the student privacy conversation. Vendors are commonly subjected to contrac- tual provisions or legislation that restrict how they can use student data, and therefore can provide a unique perspective on measures that can help students succeed and promote innovation.
Effective student privacy legislation assures parents and other stakeholders that student data will be protected, while allowing educators, administrators, and edtech vendors to use the data to improve student learning outcomes. Laws that fail to consider the full breadth of stakeholder concerns can prohibit positive uses of data or fail to effectively protect students’ privacy. To craft laws that reflect the values of their communities, policymakers should listen to the needs of parents, students, vendors, educators, and education officials.
Closing Thoughts
Students and educators are using technology to make learning more inclusive and exciting. But emerging technologies also present risks, particularly the risk that sensitive student information will be used inappropriately or fall into the wrong hands. Educators, school leaders, parents, students, and edtech providers all need flexible, effective regulation to ensure that student data is collected, used, and stored safely.
Good policy—including legislation, regulations, policies, enforcement, and other policymaking approaches—is key to protecting student data. While some state-based approaches have proven to keep student information safe and to promote innovation, regulations sometimes have unintended consequences or are impractical for stakeholders to implement. Policymakers should be aware of their pivotal role in crafting and shaping effective student data privacy legislation, because students deserve every opportunity to better themselves and increase their chances of success in a safe and trusted environment.
Advisory Council
FPF thanks the following individuals and their respective organizations for contributing their time, insight, and work in assembling and communicating the information in this guide.
Noelle Ellerson Ng, AASA, The School Superintendents Association
Tom Murray, Alliance for Excellent Education
Brent Engelman, Council of Chief State School Officers
Rachel Anderson, Data Quality Campaign
Abby Potts, National Association of State Boards of Education
Sonja Trainor, National School Boards Association
Sunny Deye, National Conference of State Legislatures