Student Data Privacy: What’s Your Obligation?

For over two centuries, student information and data was kept in paper form, often in filing cabinets in a school or district office. During this time, there was little concern over security breaches, improper data sharing, or student privacy issues. Similar to other industries (healthcare, financial, etc.), over the past few decades, the vast majority of personal information, for both students and employees, has been digitized. The move to the digital storage of information has enabled many solutions expected by schools today - online portals for parents, real-time communication with families, etc. However, the misuse and breach of digital student information has brought data privacy to the forefront.

In 2014, I was asked to testify before Congress, in front of the U.S. House Education and Workforce Subcommittee on Early Childhood, Elementary, and Secondary Education and the U.S. Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. A few months prior to the hearing, data breaches at both Home Depot and Target became national news. The congressional hearing focused on the appropriate use of data by school employees, levels of access and security, as well as third party vendors that districts partner with to provide tools and resources for student learning. In a few short months, the notion of student data privacy went from a topic that was rarely discussed by school leaders to one that was being discussed at length at the federal, state, and local levels. Public concerns regarding student data security and access, as well as new laws being enacted at various state levels forced many districts to adopt policies on maintaining and securing student data, appropriate levels of access, and student privacy.

Today, a number of years later, some districts have still done little to no work in this area. These districts remain a few mouse clicks away from finding themselves in national news headlines. Even with proper policies in place, cyber-security and human error can still remain an issue. Some nightmare scenarios for districts that made national news include:

“D.C. accidentally uploads private data of 12,000 students.”
Records of 12,000 special education students who attend public and charter schools in Washington D.C. had their personal information, including student identification number, race, age, school, disabilities, and services received accidentally uploaded to a publicly accessible website.

“Hackers alter students’ grades at NC high school, send false transcripts to colleges.”
In this North Carolina high school, hackers broke into the district computer system, changed grades and transcripts, and subsequently sent false transcripts to colleges.

“Wake Schools Sent Postcards Containing Social Security Numbers.”
In 2009, a programming error combined with human oversight, caused the Wake County School District in North Carolina to send out 5,000 postcards with labels containing student names and social security numbers, out of the 15,000 that were sent to parents.

As it relates to student privacy, school district leaders must understand and follow various levels of laws and policies. Each school district must adhere to the following:

• Federal Law (CIPA, COPPA, FERPA, PPRA)

• State Law

• Local School Board Policy

With vast levels of laws pertaining to student information, it’s easy to become overwhelmed, especially for the vast majority of educators who don’t have a legal background. To support educators in navigating these waters, Samsung released “Student Privacy Begins With This Simple Strategy,” sharing concrete ways for educators to stay up-to-date and on top of ensuring student privacy. Ten other must have privacy-related resources include:
- Data Quality Campaign
- Future of Privacy Forum
- FERPA|SHERPA
- Privacy Technical Assistance Center
- Student Data Principles
- CoSN’s Protecting Privacy Toolkit
- U.S. ED’s Model Terms of Service
- The Educator’s Guide to Student Data Privacy
- Student Privacy Pledge
- Student Data Privacy Communications Toolkit

From regulating online content on the school network, to deciphering where districts must obtain parent permission, districts often find themselves lost in a sea of legal acronyms pertaining to the various laws and policies currently in place. Districts must find the balance between encouraging the dynamic use of technology tools and the need for access, with the letter of the law. Seeking counsel while networking with other districts to promote the needed access, while ensuring safety and security, is key.

All for the kids we serve,