Experts shared conflicting advice at a congressional hearing this week on how to ensure student data privacy in the cloud, with much of the conflict revolving around whether federal legislation does enough to protect students.
Here's the main challenge with student data: School districts are contracting with third-party cloud service providers that store student data, use it to personalize learning for each student and provide detailed assessments of students' progress. Although these practices improve learning, they can cause problems when the systems that store the data aren't secure, when the school districts no longer control the data and when these vendors use the data for non-educational purposes.
"Schools essentially routinely relinquish student privacy when they contract with vendors, and parents are kept in the dark," said Joel R. Reidenberg, the founding academic director of the Center on Law and Information Policy at Fordham University.
The center's 2013 study on cloud computing in schools found that less than a quarter of the 20 school districts surveyed said their contracts reflected the purpose for disclosing student data to vendors. And many contracts allowed vendors to change the terms at will.
Another issue is that these contracts often don't require vendors to report data breaches or disclosures, and state breach reporting laws vary so widely that they may not apply either. Smaller school districts especially need legal help to create contracts that adequately secure student data and keep it private, Reidenberg said, and many of them don't have access to legal counsel. He suggests that each state should have a chief state privacy officer to help school districts navigate through legal issues such as vendor contracts.
Reidenberg's group was one of four organizations providing testimony before two House subcommittees on Wednesday, June 25. The hearing also included experts from the Software and Information Industry Association, the Idaho Department of Education and the Alliance for Excellent Education. Each organization had five minutes to make its case to subcommittee members of the Homeland Security, and Education and the Workforce committees.
11 Data Privacy Recommendations
- Say yes to privacy and student data. — Murray, Alliance for Excellent Education
- Have teachers sign confidentiality agreements specifying what student data they can share with whom. — Murray, Alliance for Excellent Education
- Conduct a yearly state audit in school districts to see who knows where the data is, who has access to it, what security measures are in place and whether it's safe. — Murray, Alliance for Excellent Education
- Minimize the data that's collected and do not collect Social Security numbers. — Reidenberg, Fordham University School of Law
- Encrypt the data that is stored and transferred. — Reidenberg, Fordham University School of Law
- Hire chief privacy officers at the state level to help school districts through issues. — Reidenberg, Fordham University School of Law
- Update FERPA legislation because it leaves major holes in student data privacy. — Reidenberg, Fordham University School of Law
- Do not update FERPA legislation because it adequately protects student data as written with additional guidance from the U.S. Education Department, and new legislation poses the risk of stifling innovation. — MacCarthy, Software and Information Industry Association
- Pass federal student privacy legislation. — Reidenberg, Fordham University School of Law
- Require vendors to keep data secure and private. — Reidenberg, Fordham University School of Law
- Review contracts with district solicitors. — Murray, Alliance for Excellent Education
The unanswered questions
Who owns the data?
Does data mining violate privacy?
For what purposes should we mine data?
Tracy Mitrano, an edu.SafeGov.org expert and former director of IT policy at Cornell University
The big question that stirred up debate was whether Congress should overhaul the Family Educational Rights and Privacy Act (FERPA), which requires school districts to follow specific privacy guidelines for student educational records in order to receive federal funding. The law is complex, results in different interpretations and includes exceptions that make it even more complicated.
The Center on Law and Information Policy contends the legislation that passed originally in 1974 must be overhauled to reflect the digital times we live in. Reidenberg says the law leaves too many holes and gaps for third-party companies to exploit student data for their own profit. And many school districts don't even know what's going on with their data, much less have strong contracts that dictate what vendors can do with the data
But the Software and Information Industry Association argues that existing law adequately protects student data, particularly since the U.S. Education Department released guidance earlier this year on how to handle student data in third-party cloud services, said Mark MacCarthy, vice president of public policy for the association. He's concerned that new legislation will stifle innovation.
"The effective use of education technology and student information is essential for improving student learning, for empowering parents, and ultimately for ensuring the competiveness of the U.S.," MacCarthy said.
MacCarthy says current law and best practices developed by organizations like the software association and the Consortium for School Networking are enough to keep cloud vendors from exploiting student data. MacCarthy and Reidenberg traded comments back and forth about what exactly the legislation does. And the fact that they disagreed shows that new federal legislation is needed to settle the issue, Reidenberg said.
While Reidenberg wants an overhaul of federal legislation, some committee members suggested that each state should tackle this issue. And a witness from the Idaho Education Department shared how her state has taken the matter into its own hands.
Earlier this year, the Idaho Legislature passed SB 1372, which calls for data accessibility, transparency and accountability. As part of the legislation, the state will release a model vendor contract policy this summer and penalize companies for data breaches and data releases with fines as high as $50,000.
"Data privacy is everyone's responsibility," said Joyce Popp, CIO of the Idaho Education Department. "It is our responsibility to continue to evolve. Adequate is not enough when dealing with student data privacy."
That said, she stressed the importance of providing every teacher with access to student-level data while respecting and protecting that information. Regardless of whether new legislation comes through at the state and federal level, policies should not throw away the opportunity to use cloud-based tools to help students learn for the sake of privacy, said Thomas Murray, state and district digital learning policy and advocacy director for the Alliance for Excellent Education. Rather, they should hold student privacy to high standards while using technology.
Murray, a former teacher, shared the story of a girl he called "Susie." This student's dad had left home when she was young, and she struggled with reading comprehension. Through the use of educational software, Murray pinpointed her specific reading comprehension problems and created a personalized learning plan for her that he modified as she improved.
"What we cannot have happen is that we stifle the incredible innovation that is going on with personalized learning and the awesome teachers we have in our nation," said Murray, who was previously director of technology at Quakertown Community School District in Pennsylvania.
He encouraged policymakers to hold the expectation high for student data privacy, build in safeguards at the state level and be transparent about what's going on with data at the school district level.
The former director of IT policy at Cornell University listened to the discussion with interest as she heard differing ideas and recommendations for what to do about student data. Tracy Mitrano, now an expert for the online resource edu.SafeGov.org, said the discussion reflected typical American political divides over whether states or the federal government should act on issues like this and whether industry can police itself.
Mitrano doesn't buy assurances from the software industry that its guidelines and existing laws will keep vendors in check. She says the issue must be settled at the federal level with a revamp of FERPA because without federal regulation, technology cloaks what's really going on with data, and the public needs to know what's happening.
New legislation should incorporate many of the same principles that exist in the Idaho legislation and correct the harms or lapses that exist in the current federal law, she said. And ultimately, it should read more like the Health Insurance Portability Act, which provides technical safeguards, clear privacy policies and private right of action.
Healthcare is far ahead of education when it comes to policies about patients' data, and policymakers need to elevate the level of importance of student data in education, Mitrano said. She also agreed that states need chief privacy officers, and in fact, new legislation should require states to have them for three reasons:
- To harmonize data practices around the country.
- To help educate people within state government about what the federal law is, especially in school districts.
- To support school districts that can't afford to have attorneys help them with vendor contracts.
Everyone has different opinions about how student data privacy should be legislated, guided and controlled. But this is a policy conversation that the nation needs to have, and policymakers on Capitol Hill are looking to learn more about what can be done.