Student Data Privacy: Who Has Access, and How is it Protected?

Sameer Ahirrao -

What is Student Data?

In the Information Age, data privacy and child protection are the two most important topics in international digital legislation. However, there are unique issues where the two fields overlap: student data privacy.

Student data includes many things beyond just grades. This includes directory information--name, telephone number, address, date of birth, and other identifiers--as well as more personal information. Disciplinary records include any punishments that students have received, including reason and duration. Schools may also track certain health information, such as immunization and medical record, weight, mental health, and pregnancy status. Other data collected by the school can indicate the student and their family’s financial status--whether the student is eligible for free or discounted meals, and whether the student is homeless.

Who has Access to this Data?

Schools are not the only organizations that have access to student data. The Family Educational Rights and Privacy Act (FERPA), the main federal law regarding student privacy, requires explicit adult student or parent consent for schools to release personal information--with a few exceptions. Health records maintained by schools are exempt from HIPAA and are only protected by FERPA. Schools can publish directory information on their students with only a notice to parents.

Schools can also share any student information with organizations conducting research on schools and students. This data must be destroyed after the PII is no longer needed for the study, but the school can provide it without the consent of the parents. These organizations include textbook manufacturers and companies who use that information to develop and refine their products. Educational technology companies providing products and services to schools also have a great deal of access to data provided by students and schools.

Benefits and Concerns

Collecting student data and providing it to researchers and edtech is instrumental in developing new teaching methodologies. Schools need to collect mental and physical health data on students in order to develop the legally-required Individualized Education Plans (IEP) for students with disabilities. Edtech programs can monitor a student’s performance and provide guidance about their problem areas and effective learning strategies. Expanding this concept, this data can also be useful for determining educational and spending priorities for entire school districts by documenting the needs and progress of groups.

There are many reasons to collect data and share it for research purposes, but there is currently only limited guidance and law on how this can be done effectively and securely. While advancing edtech to enhance the learning experience is an effective use of data, these outside organizations do not necessarily have the same FERPA non-disclosure requirements as educational institutions. Many parents and students are concerned about student data potentially being sold to third parties or used for advertising. It is difficult to be assured that edtech companies have complied with school or district requests to delete data. Even more concerning, if an edtech company folds, large stores of data may be unaccounted-for. Considering the amount and sensitivity of information that must be collected on students, it is not surprising that parents are concerned about potential vulnerabilities and misuses of this mass of data.

What This Means

The power of student data to develop more effective teaching services and practices cannot be understated. As such, the law must set standards that allow the effective use of data while protecting the legitimate privacy concerns of students and families. California’s Student Online Personal Information Protection Act (SOPIPA), passed in 2014, is a good example of modern student privacy protection that multiple other states have emulated. SOPIPA requires that digital services provided in California that are designed for and used by K-12 education:

  • Not use data collected by their services to target ads or generate advertising profiles;
  • Not sell student information to other parties;
  • Not disclose student information unless required by law or as part of its development process;
  • Use sound information security practices, such as encryption;
  • Delete data when the school or district requests it;
  • Only share information with educational researchers or agencies;
  • Only use anonymized, aggregated data.

While SOPIPA has some gaps--it is very broad as to what it allows companies to do with anonymized data, and only grants the right of deletion to schools and not students or parents--it is a model law that indicates a trend toward a reasonable student privacy management system.

As laws protecting student privacy rights become more commonplace, schools, school districts, and edtech companies must stay up-to-date with their privacy practices in order to comply with modern standards.

Conclusion

Educational technology has become more widespread and integral to modern American K-12 education, but the law has not yet caught up in regard to student privacy protections. Edutech companies have access to very sensitive data provided by students who may not have a full understanding of what information they provide. Edutech companies are not, by default, covered by laws like FERPA which forbid educational institutions from disclosing student data freely. As such, edtech companies are able to collect a significant amount of sensitive data with limited oversight.

Stronger student data privacy protections must be put in place to protect against potential abuses, intentional or accidental, by edutech companies. While there is a trend in legislation towards increased student and child online data protection, it is gradual and on a state-by-state basis. As it stands, the most important thing to do remains to tell your children to never share any personal information online--even in school.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), SOPIPA, and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/ and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.