States Score Low Among Privacy Organizations
“The State Student Privacy Report Card,” released earlier this year by the Parent Coalition for Student Privacy and The Network for Public Education, gives no state the top grade — an A-plus — for their laws protecting students’ data. The top-scoring state, Colorado, earned a B.
“Digital record-keeping has replaced traditional paper files, classroom assignments and assessments are often delivered online via laptops or tablets, teachers use social media platforms, websites and ‘free’ apps in class, and many operational functions historically performed by schools are now outsourced remotely to contractors,” the report’s authors write.
“As a result, students generate enormous amounts of sensitive electronic data about themselves every day, not all of which is clearly protected by federal law.”
This includes students’ full names, dates of birth and home addresses, as well as other sensitive information such as health records, special education referrals, and, in some cases, biometric data such as fingerprints and facial scans.
“Privacy laws in and of themselves are very, very complex and hard to interpret,” says Leonie Haimson, co-chair of the Parent Coalition for Student Privacy.
FERPA Changes Can Make Following Privacy Laws Confusing
The report continues, “Compounding the problem, FERPA has been weakened numerous times over the years through regulatory changes, making it easier for schools to collect and share this data with large private corporations, including Silicon Valley giants such as Google, Facebook, and Microsoft, as well as thousands of smaller ed tech companies, many of them start-ups who offer their wares for free to schools in exchange for access to student data.”
To fill these gaps, the report states, more than 120 student privacy laws in at least 40 states have been passed since 2013, creating a confusing patchwork of statutes.
Haimson says her organization believes these laws do not go far enough, and that FERPA has been weakened too much to be effective in protecting students’ data.
At issue, she says, is that FERPA was altered twice since it first passed in the 1970s, creating exceptions to share information and students’ records with vendors without parents’ consent.
“That’s why this data is flowing out all over the place, and it’s really hard to ever know how it’s being used,” she says.
K–12 Privacy Regulations Should Match Schools' Needs
In the past four years or so, Haimson says, discussion about strengthening FERPA to modernize and update the law has become more common.
“With the explosion of the use of ed tech tools, there’s increased disclosures happening, and that data isn’t really being protected,” she says.
“Schools in an educational agency are responsible for the data of their students, and no one should have access to that besides parents, students and third-party service providers,” he says. “The understanding is that the laws and regulations also apply to those providers to protect that data as if they were the school.”
For example, he says, under the current law, a company providing surveillance cameras and software for a school must abide by the same laws a school lives by when it comes to protecting students’ data.
He says existing laws work if they are followed.
“Schools are in the business of educating students, but they need to be very aware of what is in their contracts and make sure they are holding vendors to what is in their contracts,” Greene says.
“Schools should always be thinking, ‘Why are we holding this information, how long should we hold it and who are we allowing to have access?’” he says.
He advises that school leaders ensure their third-party vendors have appropriate safeguards in place and make sure contracts hold them liable if something does go wrong.
“We live in a new world where there are really cool advances,” Greene says. “It’s just a matter of responsibly implementing them.”