New Focus on Student Data Privacy – How to Navigate it All

with contributing author Carolyn Holcomb

Advances in school technology have revolutionized the classroom experience. The information generated from the applications and tools running on student computers allow teachers to personalize student learning and lesson plans, as well as provide real-time feedback tailored to each student’s academic needs. This boom in digital solutions for the classroom is not only revolutionary, but arguably critical to student learning and development. Yet in recent months there has been increased legal and regulatory focus on how leading tech companies and educational organizations use student data. The challenge for these tech and educational organizations is how they can continue progress in the classroom while complying with an abundance of new and changing laws, regulations and guidance.

Regulatory Environment

Federal Legislation

There are two primary federal laws impacting the use of student data: the Family Educational Rights and Privacy Act (FERPA), which protects student data from the unauthorized disclosure of education records, and the Children’s Online Privacy Protection Act (COPPA), which regulates marketing to children 13 years or younger.

While both federal laws are nearly 40 and 20 years old respectively, the challenge for businesses and organizations touching student data is figuring out how these legacy laws apply to modern classroom digital issues.

State Legislation

In 2014, 36 states introduced a whopping 110 bills. California distinguished itself as a leader in student data protection legislation by enacting the Student Online Personal Information Protection Act (SOPIPA), a law prohibiting technology companies from collecting student information for advertising and marketing purposes. To date, California’s law is one of the more comprehensive student privacy laws enacted. Subsequent state laws have modeled their requirements off California’s comprehensive legislation. However, while many state laws reflect California’s SOPIPA legislation, the volume of bills introduced, discussed and enacted across the country has created a patchwork of laws that are anything but uniform. Tech companies, their vendors and educational organizations are finding it increasingly challenging to navigate the varying, and potentially conflicting, state laws.

White House Initiatives

In January 2015, President Obama visited the Federal Trade Commission (FTC), where he proposed legislative improvements on student privacy. These sentiments were further reinforced during the State of the Union address that same month, where the President encouraged Congress to enact legislation around protecting student data. As a result, Congress proposed three different bills specifically addressing children’s educational data:  the Student Privacy Protection Act (Senator David Vitter, R-LA), the Student Digital Privacy and Parental Rights Act of 2015 (Representatives Luke Messer, R-IN and Jared Polis, D-CO) and the Protecting Student Privacy Act (Senators Edward Markey, D-MA and Orrin Hatch, R-UT).  While it is unclear whether any of these bills will eventually establish a new compliance standard for protecting student data, it is nevertheless a key focus for the White House and an item for leading tech companies and educational organizations to keep in mind.

Protecting Student Data Beyond Legislation

While federal and state law are in flux, President Obama publicly encouraged leading tech companies to sign and immediately adhere to the K-12 School Service Provider Pledge to Safeguard Student Privacy, commonly known as the Student Privacy Pledge. With Presidential support, the Student Privacy Pledge has quickly become a baseline standard by which tech companies can assess their conformance with generally accepted student privacy practices. While compliance with the Pledge is currently voluntary, it is enforceable by the FTC under Section 5 of the Consumer Protection Act and over 150 companies have signed on to honor the Pledge to date.

At a glance, the Student Privacy Pledge requires ed-tech companies to:

• Not sell student information
• Not use behavioral advertising
• Use data for authorized education purposes only
• Not change privacy policies without notice and choice
• Enforce strict limits on data retention
• Support parental access to, and correction of errors in, their children’s information
• Provide comprehensive security standards
• Be transparent about collection and use of data

Guidance from the U.S Department of Education earlier this year encouraged school districts to check if their ed-tech provider(s) had signed the Pledge as a part of the contract negotiation process. Failure to sign the pledge could raise a presumption of inadequacy in privacy and security governance in these negotiations. Without the Pledge as a baseline, the provider might be forced to negotiate “one-off” assurances around security and privacy across multiple agreements with different customers. These assurances could be more burdensome and more difficult to monitor, increasing the risk of noncompliance.

Ed-tech companies must weigh the potential risks and benefits of signing the Pledge. In doing so, the organization will need to assess its practices in relation to student data. However, taking a more holistic view of all personal information may be beneficial and, perhaps, necessary.

So what now?

Whether your organization is struggling with how to identify laws and regulations that apply, or whether you’re debating signing the Student Privacy Pledge, there are steps you can take to assess general compliance around accepted privacy and security practices. By implementing these initial best practices, you will help your organization better understand your data handling procedures and determine the impact they have on student data.  Some key best practices include:

Identify Regulatory Compliance Requirements: Creating a blueprint for regulatory compliance impacting your business will help identify specific state, federal and/or regulatory guidance with which you and your vendors must comply. This further includes identifying whether signing the Student Privacy Pledge is appropriate for your organization.

Conduct Program Maturity Assessment: Conducting a privacy and security program maturity assessment can help your organization identify how mature policies, procedures and training are, and especially whether they are considering student data privacy protections. Using a third-party assessor can help provide an assessment of your organization’s maturity as compared to peers.

Create Data Inventory: Creating a data inventory to better understand how data, and specifically student data, is collected, used, shared (including by vendors) and stored, as well as what risks are associated with the data flow is essential to knowing how to protect that information. Only when organizations understand where their data is stored can they determine and implement appropriate protection.

Implement an Information Governance Model: Implementing a strong governance model creates a necessary culture around protecting data. Defining roles for accountability and responsibility are first steps in establishing strong governance within your organization, especially if protecting student data privacy specifically has not been a historical focus.

Implement a Vendor-Management Program: Implementing a robust vendor on-boarding program to analyze contracting processes can identify how data is being collected, used and shared only based on defined purposes. For multi-year contracts, define and implement a process to re-assess controls and re-validate contracts periodically to check that high-risk vendors remain operationally effective. Control assessments can be achieved by reviewing a vendor’s SOC2 report or by performing independent audit procedures.

Implement Privacy by Design: Integrating privacy throughout the product life cycle, including design, architecture and associated marketing campaigns can increase privacy’s visibility in product development, as well as the likelihood that potential misuse of data, specifically student data, is identified.

Require Privacy Training and Promotion: Training employees on their obligations to protect and safeguard sensitive data, specifically how they use educational data, will highlight a commitment to complying with student data-handling requirements.

Continuously Improve: View this effort as a program and not a project. Implement oversight, monitoring and independent verification to identify risks to over the life cycle of student data. Take action to remediate uncovered risks.

Resources:

Chrys Dougherty, Getting FERPA Right: Encouraging Data Use While Protecting Student Privacy, in A Byte at the Apple: Rethinking Education Data for the Post-NCLB Era 38, 39 (Marci Kanstoroom & Eric Osberg eds., 2008).

edSurge: https://www.edsurge.com/n/2015-06-16-state-by-state-legislation-understanding-ferpa-and-a-student-s-role-in-data-privacy

Will Congress Overhaul FERPA; https://privacyassociation.org/news/a/will-congress-overhaul-ferpa/

Data Quality Campaign, State Student Data Privacy Legislation Resource

edSurge: https://www.edsurge.com/n/2015-06-18-which-student-data-privacy-bill-will-become-law

Full link to the Student Privacy Pledge http://studentprivacypledge.org.