School Safety Report Neglects Privacy Concerns

By Sara Collins, Tyler Park, and Amelia Vance

Yesterday, the Federal Commission on School Safety released a report detailing its conclusions, after holding a series of meetings and hearings in the wake of school shootings such as the one at Marjory Stoneman Douglas High School in Florida in February 14th. Nearly every aspect of the Commission’s report focuses on sharing data and, thus, has privacy implications for students, teachers, and the public.

The Commission’s Privacy Recommendations Were Limited and Unhelpful for Districts Seeking to Balance Privacy and Safety

During the Commission’s deliberative process, FPF provided comments and was invited to testify about those privacy issues. We recommended that the Commission’s report consider the full range of privacy risks and harms, as well as the importance of privacy safeguards, in its efforts to improve school safety. Specifically, we underscored the need for better communication to stakeholders about current privacy laws, the importance of creating “privacy guardrails” in the context of school safety plans, and asked that the Commission provide districts with guidance on how to implement such guardrails. It was important for the Commission to provide privacy recommendations because districts may not realize that the school safety measures recommended have serious privacy concerns if implemented improperly. And for districts that do understand the privacy implications, no models or best practices have been provided. While the report recognizes the importance of privacy safeguards, unfortunately it does little to help schools improve safety in a manner that protects students’ privacy.

The report quotes FPF’s John Verdi, who noted during his testimony on July 11 that trust is crucial in the education context, and that “maintaining appropriate safeguards for students’ privacy helps create and maintain trust.” The report also cites the testimony of Jennifer Mathis, of the Bazelon Center for Mental Health Law, who spoke of the importance of HIPAA privacy protections for people with mental health disabilities. The Commission notes that “[w]ithout the assurance of privacy protections, students are less likely to seek help when needed and less likely to engage openly with mental health counselors or other service providers.” The Commission also states, “it is important to incorporate appropriate privacy protections and to comply with privacy laws” but does not elaborate.

Although several sections of the report acknowledge the need for privacy safeguards, the Commission unfortunately offers little guidance—except on acceptable data sharing during emergencies under the federal student privacy law, FERPA—to educators, districts, or states on how to implement security measures while including appropriate privacy protections. This is particularly unfortunate since, throughout the report, the Commission provides specific, useful examples of effective programs at the state and local levels focusing on reporting threats, hardening schools, and training personnel. For example, the report recommends the use of “appropriate systems to monitor social media and mechanisms for reporting cyberbullying incidents” but does not mention the privacy implications of such monitoring or appropriate privacy protections, despite FPF’s comments on this issue. The Commission’s relative neglect of privacy safeguards may indicate that privacy was not a top concern.

A Surprising Call for FERPA “Modernization”

The report articulates ways that schools can share information under FERPA, as it is currently written, to protect students’ safety, noting that the major issue (which FPF identified in our testimony) is that most schools are not aware of FERPA’s flexibility.  Unexpectedly, the Commission recommended that Congress revisit FERPA––and this was the only recommendation in the report that clearly called for Congressional action.

The report calls for FERPA revisions in order “to account for changes in technology since its enactment.” A rewrite of FERPA would affect information sharing far more broadly than in the context of school safety, with major implications for the use of data and technology in both K-12 and higher education. The report’s recommendation to revisit FERPA indicates that the Department of Education may plan to actively push for a FERPA revision in Congress in 2019.

No Recommendation for Empirical Research on Root Causes of School Shootings and Effective Prevention Measures

Unfortunately, the Commission did not recommend neutral, expert analysis of empirical data regarding the nature, extent, and leading causes of key privacy and safety risks facing students and schools. FPF’s testimony noted that, as a society, we have imperfect empirical understanding of the causes of school shootings and of measures taken to prevent them. Recommending such research would have been an important step toward improving school safety. Without more research, there is extremely limited evidence that the Commission’s recommended actions will help keep students safe.

Overall, this report is likely to be very useful to schools seeking a fairly comprehensive look at ways, including examples, to keep students safe. However, it seems unlikely that schools would understand from this report that many of the Commission’s recommendations and examples raise major privacy concerns. These concerns are not just about what is allowable or appropriate to share under FERPA; privacy is about more than the law. Schools and communities need resources and advice about what privacy guardrails look like in practice. Models for this are scarce, but the report should have more strongly emphasized the importance of privacy and encouraged districts to think beyond existing law to build privacy guardrails into their school safety programs.