Taking Steps Towards Student Data Privacy

Posted on May 9, 2014 by Bob Moore

The privacy of student data has captured the attention of the education community like no other issue in recent memory. Parents, policymakers, educators and vendors alike agree that existing privacy laws are confusing at best and that actual compliance with those laws can be very difficult.

While the issue of student data privacy is very complex and systemic, by breaking it down into digestible chunks, educators can begin to take concrete steps to better protect student privacy.

When people talk about privacy they are generally referring to three types of student data.

  1. Data that has been collected and stored about a student related to their schoolwork. Examples: demographic data, grades, assessment scores, etc.
  2. Data that has been created by the student through the course of their school work. Examples: email messages, presentations, blogs, etc.
  3. Data that has been collected by an online service provider/website about student use of the online tools. Examples: website cookies, IP address/location, usage patterns, etc.

Consider these questions about student data:

  • Do companies have the right to collect data about student use?
  • Do students (and parents) have a right to opt-out?
  • Who owns the data?
  • For what purposes can the data be used?

By struggling with these questions, you’ll soon see why the issue of student data privacy is so complex.

While there are two laws that are most prominent when it comes to student privacy, there are actually four federal laws that educators need to know. And keep in mind, as of this post, more than 80 state laws have been proposed regarding student privacy, many of which are far more restrictive than some federal laws.

Family Education Rights & Privacy Act (FERPA): Regulates the release of personally identifiable information and education records, including parental rights regarding notification of the release of records, as well as the right to review, inspect and amend such records.

Children’s Online Privacy Protection Act (COPPA): Pertains to websites and online services that seek to collect information about or from students under 13 years of age. COPPA specifies language that should be in the privacy policy of the service, as well as when the service must have parental consent to collect the information.

Protection of Pupil Rights Amendment (PPRA): Establishes requirements related to parental notification and opt-out option when collecting information from students that may be used for marketing purposes.

Health Insurance Portability & Accountability Act: (HIPPA): Includes both privacy and security requirements regarding health related information.

By now you’re probably wondering if there are any good resources that can help educators navigate through all of this. While there is not one comprehensive, easy-to-use guide, I can suggest two excellent resources.

The US Department of Education’s “Privacy Technical Assistance Center” is one of the better resources for information about the application of key privacy laws affecting K12 schools. This is a must-know resource for anyone working on K-12 privacy issues.

CoSN’s (Consortium for School Networking) “Protecting Student Privacy in Connected Learning” toolkit is a collection of practical, resources that include a how-to flowchart for FERPA and COPPA, as well as suggested service provider contract terms, security questions to ask your online service provider and information about other emerging privacy issues.

CoSN’s toolkit, which is free, was developed in cooperation with the Berkman Center for Internet & Society at Harvard University and the Harvard Cyberlaw Clinic. The Association of School Business Officials International has endorsed the toolkit, and Microsoft provided underwriting support. CoSN plans updates and additions throughout the year to include information about PPRA and HIPPA.

The best time to start working to better ensure student privacy is now. It is a difficult, but not an impossible issue. Keep informed, rely on good resources, take concrete steps and remember to involve others. All stakeholders have an interest in student data privacy and should be included in the process.

bob moore

Bob Moore has enjoyed a career of 26 years in education technology. His work has included more than two decades as a CIO in K12 schools and several years as lead strategist for a multi-billion dollar global ed-tech business, as well many years of active leadership in organizations such as CoSN.  In 2012 Bob founded RJM Strategies LLC and works with schools and ed-tech business clients as a strategist, advisor and subject matter expert. His life’s work is grounded in his tenacious commitment to vision, innovation, integrity and practicality.