Student Data Privacy Concerns to Impact EdTech

Student data privacy has become a hot button issue for many educational companies and concerned parents. Some states have created more rigorous policies to protect the privacy of students, while politicians are looking to the federal government to pass a bill that will do the job.

The Privacy Technical Assistance Center (PTAC) was created by the The U.S. Department of Education two years ago to clarify policies and legal issues around education technology. Today, that need is still relevant.

“How Data Mining Threatens Student Privacy” by Joel R. Reidenberg, a Fordham law professor, made it clear that schools did not know what they were doing when signing off on contracts with third party vendors. This review was a wake up call to a lot of schools.

And in April, PTAC along with educational groups, designed guidelines to keep schools, districts, and parents in the know about best practices concerning student use with third party services including edtech apps, web based tools, and software.

Some of guidelines and practices PTAC describes are:

  • Maintain awareness of other relevant federal, state, tribal, or local laws.
  • Be aware of which online educational services are currently being used in your district.
  • Have policies and procedures to evaluate and approve proposed online educational services.
  • When possible, use a written contract or legal agreement.
  • Extra steps are necessary when accepting licenses that simply require a click to accept.
  • Be transparent with parents and students.
  • Consider that parental consent may be appropriate.

Some federal student privacy policies are covered under the Family Educational Rights and Privacy Act (FERPA) put in place in 1974, but many agree that these need to be updated with how much technology has advanced and affected education such as cloud-based storage and classroom iPad use.

One of the things FERPA does not protect is metadata, which is data that is not considered personally identifiable information (PII), such as the length of time it takes for students to read a passage. And many third party services are so varied, that it’s hard for educators to know what is protected under FERPA.

The concerns of what technology may be doing to exploit students is heard alongside the argument of what technology can do to help. Many edtech tools use technology to raise a teacher’s awareness of student progress, and catch kids that are falling through the cracks before it’s too late. These advocates helped make recent changes to FERPA, which also allowed for an increase in sharing student data in the private sector.

Beyond arguably outdated FERPA laws and general guidelines, there is a definite energy to the student data issue, and things are happening. In June there was a joint subcommittee hearing on how data mining threatens student privacy, and in May, US Senator Edward J. Markey and Senator Orrin Hatch released a discussion draft of legislation that will introduce the “Protecting Student Privacy Act” bill.  These changes would:

  • Require that data security safeguards be put in place to protect sensitive student data that is held by private companies;
  • Prohibit the use of students’ personally identifiable information to advertise or market a product or service;
  • Provide parents with the right to access the personal information about their children – and amend that information if it’s incorrect — that is held by private companies just as they would if the data were held by the school itself;
  • Make transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with which the school contracts;
  • Minimize the amount of personally identifiable information that is transferred from schools to private companies;
  • Ensure private companies cannot maintain dossiers on students in perpetuity by requiring the companies to later delete personally identifiable information.

According to the Electronic Privacy Information Center, as of September 2002, thirty-five states have passed laws supplementing FERPA. More recently, California is working to pass a rigorous bill to protect student data privacy. The bill would limit how websites, online services, and applications use student data. In March, Idaho passed legislation proposing better data-governance practices. According to Idaho Education News, the “bill requires data security plans [to] be adopted and establishes a $50,000 penalty for the inappropriate release of student data.”

In June, the Massachusetts Department of Elementary and Secondary Education released the document, Policies Relating to the Collection and Use of Student Data, along with a list of third party companies that have been given access to student data.

It is federal law that a student’s PII can be disclosed to other school officials who have legitimate educational interests, but Massachusetts is stricter with their data. The Student Records Regulation states no individuals other than the parent, student, or school personnel working directly with the student are allowed to have access to students’ records without written consent by the parent or student.

Bills are quickly passing from state to state adopting tougher laws restricting the use of student data. At the June subcommittee hearing to edtech companies, Secretary of Education Arne Duncan warned attendees to help themselves, “It is in your best interest to police yourselves before others do.”


Photo credit: Perspecsys

Michelle Harven

Michelle Harven

Michelle is a current graduate student at Emerson College and an intern at Boston's public radio station. She enjoys exploring the world of educational technology and writing about the ever-changing sector and its potential.