Legislative-Advocacy Group's Model Bill Tackles Privacy of Student Data
ALEC proposes new safeguards in states
An influential legislative-advocacy group’s promotion of a model bill meant to protect the privacy of student data sends a strong signal that the hot-button issue will be debated in statehouses around the country in lawmakers’ 2014 sessions.
The template being provided to state lawmakers by the controversial American Legislative Exchange Council, known as ALEC, would require state school boards to appoint a “chief privacy officer,” create a data-security plan, publish an inventory of all student-level data being collected by the state, make sure that contracts with some vendors include privacy and security provisions, and ensure compliance with federal privacy laws.
The group’s model legislation mirrors a recently enacted bill in Oklahoma that is widely regarded as the first attempt in the country to comprehensively address growing concern over the collection, electronic storage, and sharing of oceans of student-specific information. Such data cover matters from academic performance to family background to disciplinary and health records.
“This is an issue of importance to our members,” said Lindsay M. Russell, the director of ALEC’s education task force. “Pretty much all  states that are represented on our task force have shown interest in the bill.”
Other advocacy groups and industry representatives reacted warily to the approach embodied in the Oklahoma and ALEC bills. They praised the efforts as good first steps, but expressed concern over a lack of substantive details, particularly when it comes to placing limits on the noneducational uses of student data by third-party vendors.
“Focusing on transparency and accountability is always a good start, but I’m not sure that [the ALEC model bill] is comprehensive in covering the education-technology landscape,” said Joni Lupovitz, the vice president of policy at Common Sense Media, a San Francisco-based nonprofit that in October launched a campaign to press for increased safeguards on student data.
Lawmakers from both major parties have recently introduced or passed a variety of other student-data-privacy bills in such states as Arizona, Massachusetts, Nebraska, and New York.
A bipartisan group of U.S. senators also has introduced a bill that would ramp up existing federal protections of students’ online privacy.
Issues surrounding the privacy of student information are taking on new significance as policy and technology combine to produce a mass of detailed data, both academic and nonacademic, on individual students. Some states have recently enacted laws to beef up data privacy; similar measures are developing in other states. Here is a sampling of that legislative activity.
ARIZONA Gov. Janice K. Brewer, a Republican, signed into law in June a bill designed to strengthen parental-consent procedures around the release of student “directory information”—including name, address, and phone number—to third-party vendors. The measure provides a pathway for reporting suspected violations of the federal Family Educational Rights and Privacy Act, or FERPA. “The bill maintains the privacy of students on campuses from outside vendors who want to obtain [directory] lists to increase their client bases,” said state Sen. Kimberly Yee, the Phoenix Republican who sponsored the legislation.
NEBRASKA Gov. Dave Heineman, a Republican, signed into law in April a measure guaranteeing students, and their parents or guardians, access to school files and records concerning themselves. Students’ parents or guardians and teachers, counselors, and school administrators are granted the same access. Some broad limits are placed on the transfer of such data to other parties without parental consent, although the legislation is explicit that “the sharing of student data, records, and information among school districts, educational service units, learning communities, and the state department of education, to the fullest extent practicable and permitted by law, is vital to enhancing education in this state.”
NEW YORK No fewer than six bills related to student-data privacy are currently pending in the New York state legislature, including proposals that would give parents greater say in how their children’s education data may be used and limit third-party providers of cloud-computing services to noncommercial uses of student data. Most of the bills have received bipartisan backing in the Assembly, the lower house. None has yet been enacted.
David K. Albert, the director of communications and research for the New York State School Boards Association, said the state’s data-sharing partnership with Atlanta-based nonprofit inBloom Inc. has taken concerns about student privacy in the state “to a different level.”
“We want to protect student privacy, and at the same time make it so that schools can continue their regular day-to-day operations without putting too many roadblocks in place,” he said. He cited routine functions ranging from student transportation to yearbook creation that require some degree of student-level data-sharing with outside vendors.
MASSACHUSETTS A bill proposed by state Rep. Carlo P. Basile, a Boston Democrat, would prohibit “service providers who offer cloud-computing services to K-12 educational institutions from processing student data for commercial purposes,” including targeted advertising to children. “I felt something had to be done to protect the integrity of our children’s business,” Mr. Basile said. “Now that [lawmakers] have become educated on [cloud computing], there’s definitely an appetite to do something.” The bill is currently in committee.
OKLAHOMA The Student Data Accessibility, Transparency, and Accountability Act, passed in June and signed into law by Gov. Mary Fallin, a Republican, is poised to become a national model for how state lawmakers propose to comprehensively address student data-privacy issues. The law mandates creation of a data-security plan, publication of an inventory of all student-level data being collected by the state, data-privacy and security provisions in contracts with outside vendors, and compliance with federal privacy laws. It also served as the template for model legislation adopted by the American Legislative Exchange Council, an influential legislative-advocacy group based in Arlington, Va.
Looking to Oklahoma
The Arlington, Va.-based ALEC brings together state legislators and private-sector business leaders to craft sample legislation based on free-market and limited-government principles. In the education arena, the group has been involved in promoting such measures as “parent trigger” and voucher legislation. On another front, its role in some states’ adoption of “Stand Your Ground” laws—which allow individuals to use deadly force to protect themselves without a requirement to retreat in the face of danger—drew intense national scrutiny in the wake of the killing of Florida teenager Trayvon Martin.
Ms. Russell said the model data-privacy legislation, approved by ALEC’s members in late September and formally known as the Student Data Accessibility, Transparency, and Accountability Act, shares “core concepts” with the Oklahoma legislation of the same name, which was approved in June. The language in the two documents is virtually identical.
State Rep. David Brumbaugh, a Republican whose district includes Tulsa, sponsored the Oklahoma bill.
Mr. Brumbaugh said his focus was on building a “system of safeguards” to protect students’ privacy while also recognizing the value of tracking their “educational pathways.”
He argued that the collection of some of the roughly 300 pieces of student-level data compiled for use in state longitudinal-data systems such as Oklahoma’s—especially information that is nonacademic—constitutes “data-gathering without a legitimate purpose.” Mr. Brumbaugh also expressed concern that such data is often not properly secured.
“If we ignore small, gradual erosions to privacy in the name of policy or convenience, we risk a larger overall loss that we aren’t aware of until it’s too late,” he said.
The Oklahoma Student DATA Act requires the state education department to publish an inventory that lists and defines each piece of individual student data it collects, as well as the reason it is being collected. It outlines broad guidelines for restricting access to student data and limiting the conditions under which student data can be shared with other entities.
The law also calls for contracts with outside vendors that will handle student data to include “express provisions that safeguard privacy and security and include penalties for noncompliance.”
Stricter Limits Proposed
Given the recent “sea change” in the volume of data that education institutions collect and their capacity to process it, the focus in the Oklahoma law and the ALEC model legislation on increasing transparency and establishing new accountability structures is “absolutely critical,” said Stephen Mutkoski, the worldwide policy director for the Microsoft Corp., based in Redmond, Wash.
But Mr. Mutkoski is among those who expressed reservations that the Oklahoma and ALEC bills do not go far enough, especially when it comes to establishing an “initial bar” that would clearly limit the use of student data to educational purposes—a major concern, given the proliferation of educational app makers, “cloud”-based information-storage providers, and other vendors seeking to monetize student data through targeted advertising and other means.
“It’s a time of great growth in the ed-tech industry, and I’m not sure everybody’s motivation in terms of how they want to use data is clear,” Mr. Mutkoski said.
Leonie Haimson, a New York City-based parent and public schools advocate, also questioned the wisdom of not providing families more say in whether and how their children’s information is being shared.
“To me, it sounds like [the bill is intended] to assuage the fears of parents who want there to be something done to protect their children’s data, but who aren’t really informed about the issues,” Ms. Haimson said.
Bills that contain more specifics but don’t take as comprehensive an approach have gained some traction in other states. In New York, for example, Ms. Haimson and her nonprofit organization, Class Size Matters, have helped push more-targeted bills crafted to stop the release of sensitive student information without parental consent and to allow parents the opportunity to opt out of data-sharing efforts involving third-party vendors.
Both bills passed in the state Assembly last spring but have yet to move in the state Senate.
Legal Action in New York
Class Size Matters also played a leading role in a recent filing for a court injunction to stop the New York state education department from moving forward with a partnership with inBloom Inc., an independent nonprofit based in Atlanta that has met stiff opposition to its efforts to create a cloud-based education-data repository for states.
“This is the most bipartisan education issue that anyone in the state of New York has ever seen,” Ms. Haimson said of data privacy. “Parents are wildly angry.”
For his part, Mr. Brumbaugh, the Oklahoma lawmaker, said his state’s efforts should be construed as a first step.
“We want to shore [students’ privacy] up even more,” he said, pointing to parental-consent provisions as one area where the state could see further action. “This is all new territory.”
Ms. Russell of ALEC said that in the coming weeks, she expects much conversation in other states regarding the group’s model bill, which its members are likely to bring to their legislatures in the coming months. She said the ALEC template could be changed to accommodate local concerns.
“As January comes and people start to craft their legislative agendas,” Ms. Russell said, “we’ll have a better sense of which states are going after this aggressively and which are still in the discussion phase.”
Vol. 33, Issue 14, Pages 12-13
Get more stories and free e-newsletters!