Lessons 1 & 2

    Lesson 1: State Boards Shape Data Privacy Policy Significantly

    As education leaders and policymakers, SBEs have a responsibility to ensure that state and local data collection is secure and protects individual rights. SBEs should take action if state policy falls short of these criteria for effectiveness. They have a further responsibility to use their state platforms to call for changes in federal law and industry standards that would ensure appropriate collection, use, and security of education data.

    State boards are well positioned to act. As noted above, 36 already have some legal authority over student data privacy, and that authority is growing. Since 2013 28 states have introduced bills that would put SBEs in charge of some aspect of student data privacy, with 14 of those bills passing into law.

    These laws give SBEs a variety of responsibilities, ranging from ensuring compliance to shaping data privacy policy.(see box 1). Sometimes the legislature specifically gives the state board the task of writing the state’s educational data collection policy. In some states, this is a general requirement. For example, Nebraska’s law requires the state board to write binding rules, interpreted just like a law, for data sharing.1 In other states, the board gets detailed direction on fulfilling this task. In West Virginia, the legislature spelled out a long list of criteria for all data-sharing relationships with research organizations.2 In New Jersey, the statute tasks the SBE with creating regulations that will protect the right of students and parents to have access to student information, protect their right to privacy, and protect “the opportunity for the public schools to have the data necessary to provide a thorough and efficient educational system for all pupils.”3 Other state boards have acted independently, using their authority as overseers of education in their state, to pass important data privacy reforms (see box 2).

    [BOX 1]

    In 18 States SBEs Write Data Collection Policy

    Eighteen state boards have this duty: Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Florida, Louisiana, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oklahoma, South Carolina, Utah, Wyoming, and Washington, DC.

    [BOX 2]

    Alabama Board Takes the Lead

    In Alabama, the state board passed a resolution in 2013 that has served as the primary law on student data privacy. The resolution required SEAs and LEAs to take several important steps: regular training in data security and student privacy laws for individuals with access to student data, creation of an external data request procedure that must go through a data governance committee, and local adoption of a student records governance and use policy. The SEA must periodically audit and monitor district practices and policies.

    Source: Alabama State Board of Education, To Approve the Alabama State Board of Education Data Governance Policy, Resolution, Passed October 10, 2013, http:// www.alsde.edu/sites/boe/_bdc/ALSDEBOE/ BOE%20-%20Resolutions_3.aspx?ID=2018.

    Transparency has increased as a result of elevated state board roles in education data privacy. One of the main reasons state boards began to be named as the primary state policymakers in this arena was the fact they operate openly (see box 3). Unlike the operations of state education agencies (SEAs), meetings of the state board are public and frequently covered by the media. Before state boards gained their current responsibilities in data privacy, many states handled student data primarily within SEAs and without public process or scrutiny, according to Oklahoma State Representative Jason Nelson, coauthor of one of the first state student privacy laws passed in 2013. Nelson says this was a major factor in Oklahoma’s decision to give this power to the state board.4

    However, one of the most interesting and novel responsibilities granted to state boards under recently passed privacy laws goes beyond rule writing. In five states, state boards have been given the authority to supersede aspects of student data privacy laws on a case-by-case basis that must be reported to the public annually.

    This authority has only rarely been invoked, but it can help avoid the unintended consequences that frequently accompany new legislation. For example, in Oklahoma, a problematic regulation accidentally banned the release of graduation rates in 54 percent of its districts. Under Oklahoma law, this regulation could not have been fixed by the legislature until mid-2016. Yet because of the law’s countermand clause, the state board could intervene to authorize the release of these graduation rates on a onetime basis.5

    These clauses are subject to public scrutiny through annual reports that are to be delivered either to the governor or state legislature. In them, the state board must list exemptions granted and the reasons for those exemptions.

    Lesson Learned

    Many state boards now have broad powers under new state laws, frequently because of their public, transparent nature. SBEs can and should use the authority of their office with their newfound legal powers to support purposeful, secure collection and use of education data.

    [BOX 3]

    The Question of Directory Information

    Transparency is particularly important when discussing directory information, a legal term that describes information that schools can disclose to anyone without parental consent. Called directory information because it is information that would typically be included in a school directory, it can include a student’s and parents’ names, address, telephone number, e-mail address, date and place of birth, honors and awards, clubs a student participates in, and dates of attendance. It could also include a student’s biography in a drama playbill, an honor roll list, the yearbook, or a sports activity list that includes heights and weights of team members.

    Schools must annually notify parents about what they consider directory information. Directory information is the only category of data collection under FERPA for which parents can opt their children out of collection or disclosure.

    Some privacy advocates argue that more parents should be opting out of release of directory information. “Directory information may sound innocuous, but it can include sensitive information about each student that is quite detailed,” said Pam Dixon, executive director of the World Privacy Forum, “And aft er the school releases this data, it is considered to be public information, and you’ve lost control of it. I don’t think most parents know this.”a

    “Parents are worried about information held by vendors,” said Sheila Kaplan, who helped draft New York’s student privacy law. “Yet it is the schools that are selling the information or sharing it and allowing it to be sold. And schools should not be data brokers.” Kaplan’s organization, Education New York, has published a model state bill that restricts schools sharing of directory information.b

    Data Quality Campaign’s Paige Kowalski suggests an additional way of protecting directory information: Requireenhanced transparency about what directory information schools disclose by requiring that the annual notice to parents include a disclosure of those to whom schools have disclosed directory information in the past year. “ To help parents make informed decisions, schools must be more transparent about what data is shared and how they’re making these decisions,” Kowalski said. c

    a. Herb Weisbaum, “Privacy Quiz: How Do You Stop Schools from Sharing Kids’ Data?” NBC News, September 8, 2015, http://www.nbcnews.com/business/consumer/studentprivacy-n423466.

    b. Sheila Kaplan, interview with author, March 18, 2016; Education New York, Model State Law: Student Privacy Protection Act, accessed March 18, 2016, http://educationnewyork.com/files/Model State Law 1.pdf.

    c. Interview with author, March 18, 2016.

    Lesson 2: Stating the Value of Data Is Essential

    “Why do you need my child’s data?” This question has underpinned the vast majority of parental concerns surrounding student data privacy. Schools, districts, and states have not always done a good job explaining to parents the vital role data play in education, and this lack of communication has frayed the trust between parents and schools. Even as state policymakers, who rely on these data to make evidence-based decisions, have begun to enact student privacy protections across the country, this question has often gone unanswered. While the majority of the new laws do protect student data, they often don’t clarify why the data are needed in the first place.

    Better data increase the efficiency and effectiveness of teaching and learning.

    In 2014, data on Delaware students revealed that a significant number were college ready but had not or did not intend to apply for college. The state worked with the College Board to send informational packets to students on colleges they could attend, and high school guidance counselors followed up with students and parents to help them through the application process. Before this program, only 80 percent of Delaware’s college-ready high school students enrolled in college. After data empowered the state to act, 98 percent of those students enroll in college.6

    However, such revelations and their origin in data often fail to trickle down to parents. As Aimee Guidera, president and CEO of the Data Quality Campaign, pointed out, “The idea of using data in the classroom can be confusing, daunting, and even scary. Because our kids are unique, we want to be sure they are not reduced to numbers in a spreadsheet.”7

    Parents of special education students often understand better than anyone why data are essential. A poignant article by Troy Wheeler, a parent of children with special education needs, explained how an out-of-state move cemented his belief in responsible data use. Wheeler explained that none of his children’s records, including test scores, academic placement assessments, and special education data transferred to their new school. Wheeler wrote that his wife spent hours digging through old files and calling their old district to get information copied and sent. Because the education curricula in their new state differed from what Wheeler’s children had been learning, the new school didn’t have the information needed to place them in the appropriate course levels. It took six weeks before the new school discovered that Wheeler’s son was struggling more than he should have been in math, which meant he had to be placed in a different class. As Wheeler put it, “Because no data followed my son, he was left feeling like he was failing amidst the already difficult situation of adapting to new peers and trying to make new friends.”8

    Because approximately 15 percent of families move each year, Wheeler’s case is far from an isolated incident.9 Schools need individual student data to help them address individual student needs, and the data must be sharable so new teachers can help students from day one. Technology and real-time data analysis can tell teachers earlier whether a student is learning and on track to do well. Such proactive efforts allow teachers to help their students without waiting until quarterly grades or parent-teacher conferences require them to determine whether a student is falling behind.10

    States have adopted a variety of approaches to communicate the value of data to parents. Districts and a few states are creating “data dashboards,” which show parents how their child is doing on an ongoing basis. These districts and states are also finding ways to provide parents direct access to data. For example, products such as Edline allow parents to receive daily reports on assignments, homework grades, test scores, and “even the slides and videos used in class.”11


    A key part of communicating about the value of data is also communicating why educational agencies and institutions partner with companies to store, analyze, and protect data. Parents are especially concerned about data collection when the entity collecting their children’s data is a for-profit company. A 2014 poll commissioned by Common Sense Media revealed that 90 percent of adults worry about companies’ ability to access and use students’ personal information.12

    For most schools, involving private companies is a matter of practicality: They do not have the personnel or technical expertise to build data centers, create learning soft ware or apps, or host servers. “As many Fortune 500 companies holding sensitive banking or health data have determined,” writes the Future of Privacy Forum in a recent report, “relying on the security protections of outside companies that can deploy hundreds of staff and first-class security tools can far exceed the capabilities of individual companies. Compared to large businesses, schools have far less funding and technical expertise. Even large school districts are hard pressed to keep up with the continual security alerts, patches, and updates needed to maintain secure systems of their own.”13 It is incumbent on school, district, and state administrators, as well as board members and other policymakers, to make this case to parents. It is a critical step in building parents’ trust that schools are using data for good purposes while they are also protecting student privacy.

    Lesson Learned

    A vital part of student data privacy policy is explaining to parents why data are collected and how they are used. If parents do not understand how data can help their children, they will not care how the state is protecting the privacy or security of that data. Instead, they may demand that the data not be collected at all. SBEs and other policymakers can use their bully pulpits to explain the value of student data to parents and other members of the public.