Over the last few years, state legislatures have considered hundreds of student data privacy bills, and that's shown federal policymakers that this issue is important to their constituents. This session, legislators have been discussing data privacy in the context of reauthorizing the Elementary and Secondary Education Act (ESEA), as well as generally how to safeguard data that comes from classes that are using more technology.
The National Association of State Boards of Education has compiled a helpful chart that breaks down how eight different student data privacy bills match up with each other, and with existing laws including the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act.
One of the most promising pieces of legislation is Amendment 2080 sponsored by Sen. Orrin G. Hatch (R-Utah) and Sen. Edward J. Markey (D-Mass.), which passed in the Senate's version of an ESEA reauthorization this month. This amendment would establish a committee on student data privacy that could make privacy policy recommendations.
"If the commission moves forward, I think it will be really helpful to see what the commission recommends as we think through how to bring privacy into the 21st century and address the realities of classrooms today," said Paige Kowalski, vice president of policy and advocacy for the Data Quality Campaign.
Several other bills directly regulate online service providers that collect or access student data. These bills are modeled after California's Student Online Personal Information Protection Act, which is considered one of the toughest student data privacy laws in the country.
Introduced in April, the Student Digital Privacy and Parental Rights Act of 2015 from Rep. Luke Messer (R-Ind.) and Rep. Jared Polis (D-Colo.) would provide better coordination between the Federal Trade Commission and the Department of Education to enforce the bill's provisions. Under the bill, third-party service providers and their subcontractors would not be allowed to sell student information or use it to target advertising to students. They would be able to use the information for personalized student learning.
Another bill in the Senate is similar to the Messer-Polis bill — the Safeguarding American Families from Exposure by Keeping Information and Data Secure (SAFE KIDS) Act. Introduced by U.S. Sen. Richard Blumenthal (D-Conn.) and Sen. Steve Daines (R-Mont.) in July, the bill does a few things differently. Service providers would be required to publically post their privacy policies and receive consent from schools to use student data. By contrast, the house bill would connect parents directly with service providers as they choose whether to give them permission to use their students' data, challenge the data that they hold or ask them to delete the information.
A group of four representatives chose to tackle a rewrite of FERPA with the Student Privacy Protection Act (H.R. 3157) to make the law clearer and more up to date in today's Digital Era. Todd Rokita (R-Ind.), Marcia Fudge (D-Ohio), John Kline (R-Minn.) and Bobby Scott (D-Va.) introduced the bill in July. Under the bill, educational agencies and institutions would have to determine whether each third party they wanted to work with had high enough security for student data, and they would have to share with parents the written agreements they make with third parties.
The potential problems with H.R. 3157 include a heavy burden on educational institutions to verify security standards, a research studies exception that would hinder the benefits that all students receive from the research, and ambiguity about whether tutors or after-school programs can access student data in partnership with a district.
Another potential problem for all of the bills is that there's no requirement for data security training for employees of education institutions. Given the high numbers of security breaches caused by internal errors, a lack of training is a major loophole in any data security initiative.
"Unfortunately none of them have really addressed the key thing: It is absolutely essential that everyone who has access to student data is trained on how to protect it," said Amelia Vance, director of education data and technology at the National Association of State Boards of Education.
As legislators consider these bills, Kowalski suggests that they consider building their policy framework off of 10 student data privacy principles that about 40 organizations came up with. These principles include using student data to support student learning and personalize it.
It's important to spell out not only what service providers and education institutions can't do, but also what they can do for student learning, Vance said. And that means balancing privacy protections with innovation in the classroom.
For example, Vance said, "It's absolutely necessary that we use data in a good way to help kids succeed who may not have graduated in the past."