Proposed Rules Guide States on Managing Student Privacy
Proposed changes to federal privacy rules likely to take effect this summer couldn’t be more timely for education systems: They offer first-time guidance on managing student privacy in gathering education data just as states and districts put the finishing touches on federally mandated longitudinal-data systems.
The rules would guide education officials on the delicate task of how to make use of these data systems, while also holding researchers and others responsible for protecting the information they use.
Under grants received through the American Recovery and Reinvestment Act, better known as the economic-stimulus law, states have until Sept. 30 to complete comprehensive longitudinal-data systems that can trace a student’s academic career from preschool through college. Experts say the linked data will be an unprecedented boon both to researchers and educators looking to pinpoint academic problems and successes.
The U.S. Department of Education proposed regulatory changes last month to the Family Educational Rights and Privacy Act, or FERPA, intended to help states ensure the longitudinal-data systems are used safely.
“We think that the newly released guidelines around FERPA are critical for states to truly go from building [state data systems] in a technical fashion to actually using them to improve student achievement,” said Aimee R. Guidera, the executive director of the Data Quality Campaign. The Washington-based nonprofit late last month released a white paper on protecting student privacy.
“For the first time ever, these regs acknowledge that there is a role for the state data system, and that has been the biggest problem with FERPA to date,” Ms. Guidera said. “This outdated statute was trying to be applied to a longitudinal-data system that was not even around when FERPA was written, and [the law] had never caught up to it.”
Feedback for Pre-K-12
Among the changes, high school and college administrators would be allowed to share individual student-achievement data to track graduates’ postsecondary performance—flexibility Ms. Guidera said states have been requesting for years.
Donald J. Houde, the president of the Houde Consulting Group in Fountain Hills, Ariz., and a former chief of information, technology, and security for Arizona’s state longitudinal-data system, agreed. “Data always flowed upstream from school to district to the state, and giving it back was problematic,” he said.
For example, Kathy Gosa, the director of information technology for the Kansas education department, said her state is putting the final touches on a system linking data from preschool through grade 12 with higher education data. With support from the economic stimulus and a grant from the Institute of Education Sciences, the state is unifying student-tracking numbers across both systems, but has been operating so far under memoranda of agreement cobbled together among different agencies.
“We’ve only been able to share the progress of a student in postsecondary in the aggregate; this version of FERPA allows us to share back information with teachers about individual students,” Ms. Gosa said. “This will also allow us, on our high school feedback reports, to allow the districts and schools to drill down … to evaluate the programs and processes they have in place and allow them to know where they succeed or shore them up.”
Held to Account
Yet the new rules also would ensure that anyone who uses a student’s information must be responsible for protecting it and could be held accountable if data are misused. Under the current rules, while states and districts can certainly be held accountable for data leaks, it has been unclear how researchers, contractors, and other data users could be accountable for protecting students’ privacy. Under the proposed rules, violators risk having their federal grants withheld or getting barred from sharing student data for five years.
“It’s a different level of scrutiny when we are talking about children’s information; it’s very sensitive information and it’s a core value of our nation to protect that information,” Ms. Guidera of the Data Quality Campaign said. “While they may be giving out [information about] what bread they’re buying, people are much more reluctant to have information about their children’s academic progress being available.”
One Maplewood, Minn. parent, Arianna Chapman, went further in a written comment to the Education Department expressing support for the proposed FERPA rules. “I mean, as a parent," she wrote, "I would prefer that nobody extra is accessing my child’s records, but if it benefits her in the long run by helping to get grants or programs added that could be useful to her, then why not allow it? However, I only agree if they are sure that the information would only be going to official people on an absolute need-to-know basis and not just to anyone.”
That’s the crux of the issue for states, which are now hashing out how to give customized access to the data based on individual roles, from a 2nd grade teacher, to a district mathematics coach, to a legislator or special education researcher.
The increasing flexibility of school systems can make data privacy trickier, said Mr. Houde, the consultant. In Arizona, many secondary students—particularly those in rural schools—are jointly enrolled in their home and virtual schools for distance courses, and part-time career and technical education programs. Many more educators may need access to a student’s data, and it can become more difficult to sort out who actually needs to see specific information.
“For some of the districts, they only need [the state] to get out of the way” to conduct their own analyses using state data, “but that’s only maybe 2 percent of the schools in the state,” Mr. Houde said.
For the rest, he said, staff members have not had the time or training in how to use data-system information safely. “These data have tremendous value, and we need to maximize their use, but … as the utility of the data increases, the security profile of the data also increases,” Mr. Houde said. “We have to build understanding that the highest risk to this data is internal—that someone will send out an email with identifiable information or lose a thumb drive.”
Ms. Gosa agreed. Kansas has developed free, customized data-certification training for district and school staff members based on their particular roles, from a secretary submitting accountability data to a teacher analyzing achievement information about her class.
“We basically go over the FERPA regulations and customize it to situations they might have encountered, that might be more meaningful to them than just reciting regulations,” she said.
“They may not understand how critical it is not to lay down a piece of paper with a Social Security number, or to shred everything immediately, or not to walk away from your desk if there is information showing that someone might see. All those things, when you’re trying to get your work done, they seem like distractions but they really are critical.”
Vol. 30, Issue 30, Pages 21,25