- The NSA data-gathering as well as the news of breeches at Target, Sony, Snapchat and others is of concern to all adult citizens. Who is looking out for student data privacy? Who speaks for children and the future of their privacy.
- FERPA has been changed to effectively allow districts and states to name almost anyone or any group “a school official” and allow access to student data. For example, in Washington State, OSPI (the Washington state education department) has signed an agreement with the Seattle Times–a for-profit, non-research entity–to allow the Times access to Seattle Schools student data.
- Individuals have no private right of action under FERPA, and no access to other paths to the courthouse. And, as well, the ramifications to a district are either a “squirtgun” (a memo of compliance will be sent to the district) or a “bomb” (federal funds will be withdrawn from the district.)
- Even if PII (personally identifiable information) for a student has been removed, it is still quite possible for a vendor or other authorized person to use other information to figure out who that student is.
- School districts are no longer the sole custodians of student data. A majority of states have created longitudinal database systems (SLDS) where individual student records have been uploaded. This includes not just PII, grade and test scores, but also disciplinary data, counseling, and medical information (among the about 400 separate data items as identified by the DOE).
- The US Dept. of Health’s “new and improved” website, claims that schools and/or school districts do NOT have to follow HIPPAA privacy laws. Indeed, that is true. As set forth in the Joint HIPAA/FERPA policy guide above, medical info, once in the hand of a district is considered an “education record.” HIPPAA does not apply to “education records”, FERPA does.
- Many groups and entities are worried. From Education New York:
The American Council on Education (ACE) stated that: “We believe the proposed regulations unravel student privacy protections in significant ways that are inconsistent with congressional intent.”
The comment by ACE was echoed by other influential groups, including the American Civil Liberties Union, the Privacy Rights Clearinghouse, the Center on Law and Information Policy at Fordham University Law School, and the World Privacy Forum, which stated that “Student and parental records will be scattered to the winds to remote and untraceable parties, used improperly, maintained with insufficient security, and become fodder for marketers, hackers, and criminals. The confidentiality that FERPA promised to students and their families will be lost.”
The American Association of Collegiate Registrars and Admissions Officers also raised a number of concerns about the changes, charging that “The proposed regulations have been overwhelmingly influenced by the single-issue lobbying of a well-financed campaign to promote a data free-for-all in the name of education reform.”
Questions parents should ask their district:
- What data is being collected and how is it used?
- How is the data being stored and what security measures are in place?
- Who has access to the data?
- When does the use of the data expire?
- How is the data destroyed by the entity being allowed to used it?
What protections parents should request from our government entities about student data:
Contractors never own student data;
- Contractors must act “at the direction of the disclosing entity and in compliance with FERPA”;
- Schools may only disclose the data to contractors for the performance of institutional services or functions that have a legitimate educational purpose;
- While FERPA-protected data is held by the disclosing entity (the school or district), it may not be used to create or improve products that were never intended for the school or district;
- Data could not be disclosed to a third party for the purpose of developing a product to market to a school or district.
- That student data may never be used for commercial purposes;
- That parents must be able to access and amend their children’s data, as FERPA provides, even when the database is in the hands of a private company;
- That safeguards must be in place when private companies transfer and store data;and
- That private companies must delete student data no longer required for an educational purpose.