Student data privacy has been a hot topic throughout the last year, and while federal legislation has been discussed for a while, it's now a reality.
After releasing draft legislation for public comment in May, senators Edward J. Markey (D-Mass.) and Orinn G. Hatch (R-Utah) introduced the "Protecting Student Privacy Act" on Wednesday, July 30. The bill would update a section of the Family Educational Rights and Protection Act (FERPA) that deals with student education records, which are directly related to a student and maintained by an educational agency, educational institution or a party acting for either one of them.
The proposed legislation clearly spells out information security practices and data responsibilities for both education institutions and outside parties. It also ties federal education funding to whether education institutions follow the provisions of the bill.
No funding will go to education institutions that:
- do not implement information security policies that protect personally identifiable information or require outside parties to do the same;
- provide access to personally identifiable information in student education records for marketing or advertising purposes;
- include personally identifiable information in requests for student information when it's not necessary; and
- do not require outside parties to destroy information when it's no longer needed.
Outside parties must do the following:
- maintain the same or higher privacy standards than education institutions;
- give parents access to students' personally identifiable information and allow them to challenge, correct or delete data through a hearing process;
- keep a record of everyone who requests or accesses the education records they hold; and
- follow information security policies or procedures for education records.
While the Data Quality Campaign agrees that student privacy is important, Director of Federal Policy Kristin Yochum doesn't think this amendment accomplishes student privacy goals or is necessary. She argues that the existing FERPA legislation already deals with issues such as data destruction and marketing.
"It is not necessary to go through the extensive project of opening up the law again to re-legislate what has already been effectively legislated," Yochum said.
The law currently does not permit these types of actions, but this bill takes it a step further to prohibit them, she said. And by changing the language of the law, there could be unintended consequences, though no one really knows what those unintended consequences could be.
Another issue is that FERPA can only regulate and penalize education institutions, not vendors who might use the data in longitudinal data systems, transportation and meal provisions. Because FERPA has no direct authority over vendors, it might be worth the time to create new legislation that specifically regulates vendors.
Yochum suggests that the states are already addressing the student data privacy issue with more than 100 pieces of legislation, and that's where student data policy should be decided.
But states are addressing this issue because the current FERPA law does not adequately protect student data, argues Bradley S. Shear, a digital privacy lawyer with Shear Law LLC in Maryland. Congress passed the existing law four decades ago and has not updated it to deal with the technological advancements of the digital age.
As the parent of two children who will enter the public school system over the next few years, Shear said, that he wants their personal privacy to be protected. "And the current regulatory and legal scheme does not do it in a manner that it should."
Parents do not have much recourse when it comes to fighting for their students' privacy, and a large number of letters obtained by the Electronic Privacy and Information Center show that the Department of Education frequently does not investigate parent or student complaints for various reasons. Despite the law's threat of pulling federal funding from schools for privacy violations, Shear has not heard of one incident where that has actually happened.
While two senators have now stepped forward at the federal level to address this issue, the amendment does not go far enough, Shear said. He would like to see the bill amended so that parents have the option to pursue a private right of action when students' privacy is compromised. The definition of education records also needs to be expanded to include metadata, emails and other digital interactions that students engage in for school.
The Markey and Hatch amendment is "a good first step, but it really needs to have more teeth," Shear said.
Students' academic metadata is spread across the technology platforms of many vendors, some of whom have already received public backlash for their data practices. For example, Google retained the ability to scan student email for advertising purposes and later this year decided to reverse its policy. In a 2013 study on cloud computing in schools, the Center on Law and Information Policy at Fordham University found that many companies had troubling privacy policies and agreements in place, with less than a quarter of 20 school districts saying that their contracts specified the purpose for disclosing student data.
"Absent laws in place that hold vendors accountable, there will be bad actors that spoil the whole bunch, and tar and feather the whole industry," Shear said, "and I don't think that's fair to other ed tech companies that really care about student privacy and make that a hallmark of their offering."
Across the country, opinions are divided on whether FERPA needs to be strengthened or whether it does enough to protect student privacy. In a congressional hearing in June, four panelists came down on both sides of the issue, with some saying it leaves holes in student data privacy and others saying that new legislation could stifle innovation.
For now, new legislation is on the table, and it will be up to Congress and the President to figure out whether it will do the job of keeping student data private.
Editor's note: This story was updated at 2:00 p.m. on July 31, 2014 to include an interview with Bradley S. Shear, a digital privacy lawyer with Shear Law LLC in Maryland, and information relevant to this interview.