About

Student privacy concerns have led to a variety of legislative responses across the country. As policymakers work to update the laws and regulations dealing with student data, there are numerous lessons to learn from efforts at the state and federal level, as well as the policy positions of leading education organizations.


The Value of Data

Schools have always held a wide range of data about our children and families: Name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, special needs and the like are all necessary for basic administration and instruction. Teachers and school officials use this information for lots of reasons, including to assess how well students at a school are progressing, how effective teachers are at teaching, and how well your school performs compared to other schools. State departments of education collect data that is then aggregated (summarized) to help guide policy decisions and plan budgets.

Data Can Help Every Student Excel (Data Quality Campaign)

Schools are also increasingly storing electronic data associated with “connected learning,” where online resources are used for instruction and evaluation. Online tools give students access to vast libraries of resources and allow them to collaborate with classmates or even peers around the world. Some of these online tools also give teachers and parents the ability to access and evaluate student work.

Schools should be able to tell communities and policymakers how they collect, use, and protect student data. To learn more about how data can be used to help students, check out the below resources.

More

Federal Laws

There are three federal laws that focus on student privacy that every policymaker should be aware of: FERPA, COPPA, and PPRA. Read all about them below.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

More

The Family Educational Rights and Privacy Act (FERPA) also requires that schools give parents and students the opportunity to access information in their education records. Students and parents are allowed to review and potentially amend incorrect information within their education record. Procedures should be put in place to simplify this process.

A school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. There are a number of exceptions to this rule, which are laid out in the Department of Education’s FERPA Exceptions — Summary CHART.

FERPA Directory Information
Student’s Name
Address
Telephone listing
Email Address
Photograph
Date & Place of Birth
Major/Field of Study
Dates of Attendance
Grade Level
Participation in officially recognized activities & sports
Weight & Height of Athletes
Degrees, Honors, & Awards Received
Most recent educational institution attended
Student ID, User ID, or other unique identifier (that cannot be used to access education records withought a pin or password)
  • FERPA gives parents and students the right to opt out of having their “directory information” shared.
  • FERPA allows schools to share student information among designated “school officials” with “legitimate educational interests.” Schools must define these terms, and inform parents who they consider a “school official” and what is deemed a “legitimate educational interest.” This process allows schools to partner with outside persons or entities to provide educational tools and services.

Aside from the two most common FERPA exceptions listed above, there are a number of other circumstances when prior consent is not required to disclose information about a student. The following are categories of people/organizations that may not need express student consent to gain access to certain information about students.

Individual/Entity seeking information Type of information available without consent…
Parents Of Dependent Post-Secondary Students Generally – any student information
Of Non-Dependent Post-Secondary Students (1) Information in connection with the student’s health or safety
(2) Information related to the student’s violation of the law or the academic institution’s policy governing use or possession of alcohol or controlled substances
Schools In which the student intends to enroll
Financial Aid Offices Facts relevant to determining a students eligibility, amount, or conditions surrounding receiving financial aid
Authorized Representative of Federal, State, and local Governments and Educational Authorities Auditing, evaluating, or enforcing education programs
Organizations Data used to conduct studies, predictive tests, administering student aid program, or improving instruction
Judicial or law enforcement authority In compliance with an order or subpoena
Victims Results of a disciplinary hearing of a crime of violence
Third Parties Final results of a disciplinary hearing concerning a student who is an alleged perpetrator of a crime of violence and who was found to have committed a violation of the institution’s rules or policies
Community Notification Program Information concerning a student required to register as a sex offender in the State

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose…. because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”

PROTECTION OF PUPIL RIGHTS AMENDMENT (PPRA)

PPRA Sensitive Information
Political Affiliations
Address
Mental & Psychoogical Problems
Email Address
Sex behavior & Attitudes
Date & Place of Birth
Illegal, anti-social, self-incriminating & demeaning behavior
Critical Appraisals of other individuals
Legally recognized privileged or analogous relationships
Participation in officially recognized activities & sports
Income

State Laws and Legislation

Do you know if your state has a student privacy law? Just since 2013, 39 states have passed 106 new student privacy laws. Most of those laws impose new requirements on districts, states, and school service providers.

More

Prior to student data privacy taking off as an issue in 2014, many states had preexisting privacy laws. Some states have privacy laws that are not specific to education but still affect educational data. For example, 10 state constitutions have recognized a right to privacy,[1] and many more have general privacy protections in place for their citizens. These laws affect students, teachers, schools, and districts. Many states have specific laws regarding the disposal of records that contain personal information.[2] Some states also require government entities to have a written privacy policy in place.[3] And some, such as California, require government agencies to have a specific person responsible for compliance with privacy law.[4]

States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA;[5] 45 make their data privacy policies publically available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.

The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.

Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.

SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.

 

 

[1] “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.

[2] “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.

[3] Cf. Alaska Stat. § 45.48.530; Ariz. Rev. Stat. Ann. § 41-4152; Colo. Rev. Stat. § 6-1.713; N.J. Stat. 56:8-162

[4] Cal. Civ. Code § 1798.22: “Each agency shall designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.”

[5] Epic.org, Student Privacy


Best Practices

Over 500 bills have been introduced in 49 states since 2013. While there are many possible approaches to ensuring student privacy, some best practices have risen to the surface.

More

Assess the lay of the land prior to passing laws or policies. 

Conduct a district-wide privacy assessment and online services audit, preferably by an independent third party. By determining what services are currently in use, and to what extent student data is used and protected within those services, your district will have the basis for determining what policy or practice changes are necessary – Data in the Cloud: A Legal and Policy Guide for School Boards on Student Data Privacy in the Cloud Computing Era (NSBA)

Include all stakeholders in the conversation. 

Parents should be involved in the development of privacy norms and should provide policy input. Just as schools provide significant information about online safety and appropriate use, they should put significant effort into making sure that parents understand the measures that educators are taking to protect student privacy. – 10 Steps that Protect the Privacy of Student Data (CoSN)

Many state bills introduced over the past two years did not give district stakeholders—from classroom teachers to chief technology officers to superintendents—an opportunity to weigh in on how the bills would aff ect educational work. This oversight created problems in a few states. – Policymaking on Education Data Privacy: Lessons Learned (NASBE)

Student personal information should be used only for educational purposes. 

Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data. – Student Bill of Rights (EPIC)

School service providers [should] collect, use, or share student PII only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws. –  Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services (SIIA)

Put someone in charge.

Decide who in the district is responsible for privacy. A senior administrator should be designated as the person responsible for coordinating efforts to ensure compliance with privacy laws and policies. – 10 Steps that Protect the Privacy of Student Data (CoSN)

Identify a state-level official who is responsible for privacy, data security, and compliance with all federal and state privacy laws and regulations… Identify a district privacy officer who is responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data. – Recommendations on Student Data Privacy (NASSP)

A data governance plan at the state and district levels is essential.

Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach. – Recommendations on Student Data Privacy (NASSP)

Districts must establish policies and implementation plans for the adoption of cloud services by teachers and staff including in-service training and easy mechanisms for teachers to adopt, and propose technologies for instructional use. – Privacy and Cloud Computing in Public Schools (CLIP)

States, districts, and third parties with student data must be more transparent.

Schools and companies should publish the types of information they collect, the purposes for which the information will be used, and the security practices in place. Schools and companies should also publish algorithms behind their decision-making. – Student Bill of Rights (EPIC)

Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding. – Recommendations on Student Data Privacy (NASSP)

School service providers [should] disclose in contracts and/or privacy policies what types of student PII are collected directly from students, and for what purposes this information is used or shared with third parties. – Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services (SIIA)

[State Education Agencies] are obligated and find it imperative to proactively disseminate data use and privacy policies in clear and transparent ways. We ensure the public has access to privacy policies and information about the use of personally identifiable data and can provide feedback regarding those policies. – Data Privacy & Security Policy Statement (CCSSO)

Have policies and procedures to evaluate and approve proposed online educational services.

Schools and districts should be clear with both teachers and administrators about how proposed online educational services can be approved, and who has the authority to enter into agreements with providers…. To ensure that privacy and security concerns relating to these free services are adequately considered, the Department recommends that free online educational services go through the same (or a similar) approval process as paid educational services. – Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (PTAC)

Ensure that all third-party vendors that collect or have access to student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information, and prohibit further redisclosure of personally identifiable information without parental consent. – Recommendations on Student Data Privacy (NASSP)

School service providers collect, use, or share student PII only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law. – Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services (SIIA)

 

Legislators should be careful of unintended consequences from student privacy legislation. 

Analyzing the effects of laws and policies in other states can help policymakers craft good data protection plans in their own. Other states’ laws sometimes offer cautionary tales of language that proves to be imprecise or implementation issues that were not fully thought through. Frequently, these issues arise when key stakeholders do not get a chance to weigh in on the legislation’s potential impact before its drafting. – Policymaking on Education Data Privacy: Lessons Learned (NASBE)

Training is essential in ensuring student privacy laws are properly implemented and followed. 

Unless you train your staff, they will not know what to do or why it is important. Annual privacy training should be required for any school employee who is handling student data, adopting online education apps or procuring and contracting with service providers. Privacy laws represent legal requirements that need to be taken seriously. – 10 Steps that Protect the Privacy of Student Data (CoSN)

“Even though the odds of an earthquake are low, teachers in California are trained how to keep students safe.” said [Paige] Kowalski [of the Data Quality Campaign], “Why do we continue to risk student safety by not also training teachers how to deal with the far more regular occurrences of privacy and confidentiality breaches?” – Policymaking on Education Data Privacy: Lessons Learned (NASBE)

Coordinate an annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, or procure and contract with service providers. – Recommendations on Student Data Privacy (NASSP)

To be ensure consistent implementation of your school district’s policies and procedures regarding student privacy, extensive staff training may be necessary. Individual classroom teachers should not make unilateral decisions regarding implementation of online services. School district staff need to be informed not only of the basic legal requirements and the specific policies and procedures that must be followed in your district, but also of privacy “norms” that fuel public sentiment and understanding of what privacy means. – Data in the Cloud: A Legal and Policy Guide for School Boards on Student Data Privacy in the Cloud Computing Era (NSBA)

Review and adjust passed policies and laws.

Interpretations of privacy laws are changing, and new laws may be added. School policies and practices will need updating and adjustment so that they reflect legal requirements. Processes can become burdensome and when that happens, some people may want to skirt the process. Seek input from those involved to ensure that the processes are not hindering teaching and learning. – 10 Steps that Protect the Privacy of Student Data (CoSN)

Recommended Resources

Resources for Policymakers

State legislators and policy makers should also be aware of the wide variety of policy papers that provide different perspectives on student privacy. Please refer to the papers, testimony, and guides below.

More

Resources

  • Publications from the Alliance for Excellent Education
    Alliance publications synthesize research and information about promising practices to enlighten the national debate about education policies and encourage the development and implementation of federal and national policies that support effective high school reform and increased student achievement and attainment.
  • Digital Learning Now’s Policy Resources
    Digital Learning Now provides specific guidance for policymakers and education leaders regarding the adoption of effective tools for digital learning and the shift to a more personalized education.
  • National Association of State Boards of Education released a new policy brief in April 2015 explaining why concerns over student data privacy have dominated the headlines, and what states—and state boards of education in particular—are doing to ensure the safety of student data.
  • Additionally, the Data Quality Campaign and the Foundation for Excellence in Education have partnered to offer a series of online courses on education data, including a seminar on student data privacy.

School Boards Set the Vision: Student Privacy (iKeepSafe)