State Lawmakers Ramp Up Attention to Data Privacy
As the appetite for educational data on students has grown across the K-12 sector, so has the stated desire among many state lawmakers to try to protect the privacy and security of sensitive student information.
Spurred by concerns that the rise of education technology and the increasing prevalence of new assessments will place student data in unreliable hands or be put to nefarious uses, lawmakers in dozens of states have acted this year to clarify who has what access to student data and to specify the best practices for shielding that data.
In total, for the 2014 legislative sessions, 83 bills in 32 states have addressed student-data protection issues, according to the Data Quality Campaign, a Washington-based group that seeks to promote the use of educational data to inform classroom and policy decisions.
New York has created a chief privacy officer at the state level to coordinate the protection of personally identifiable student data, a move that Arizona, Tennessee, and West Virginia have also considered.
An Idaho law adopted this year requires districts to adopt model policies governing the sharing of data.
And nine states have considered bills based in part on a new law approved last year in Oklahoma that requires the state education department to publish the inventory describing the data it collects on individual students, and also limits the conditions allowing student data to be shared.
The American Legislative Exchange Council, a Washington-based, conservative policy group, has also written a model bill for student-data use that includes the creation of a chief privacy officer.
But approaches focused on general transparency, disclosure, and oversight haven't satisfied everyone. Some lawmakers in states like Florida and Kansas have also acted to protect information ranging from biometrics to the political and religious affiliations of students and parents.
And while the Common Core State Standards themselves don't make any new demands for student data, concerns by parents and others about the standards' links to a broader thirst for student information have also driven the political dialogue.
In March, after months of such opposition, New York state dropped its partnership with inBloom, an Atlanta-based education nonprofit that provides software to store and synthesize student records in order to improve instruction.
Reginal J. Leichty, a partner at EducationCounsel, a Washington-based consulting firm, said states' legislative efforts in general at addressing the issue have been "mixed" in terms of creating a safe environment for data where such information can also be put to good use.
States are looking at a variety of approaches toward regulating student-data privacy and assuring protections. Here’s a sampling of noteworthy legislation.
A newly enacted law vests authority over student-data use with the state board of education, which has to file annual reports about what types of student data are being collected and any breaches in data security. It also requires districts to adopt policies governing student data.
As part of a budget deal approved by lawmakers, the state will create a new position of chief privacy officer to work with local education agencies and make recommendations about the best ways to protect student data.
A bill that passed the state Senate last month would prohibit collection of students’ biometric data, such as fingerprints and retinal information.
A measure that originated in the state Senate would prohibit the collection of biometric data as well as any information about students’ or their parents’ parents religious and political beliefs.
"They are responding to some legitimate concerns about how our society deals with student data. I think there's always danger in legislating with overreach," he said.
States need to balance the desire for data protection and security with the significant value such information can have on states' longitudinal data systems as well as local school districts' efforts to craft better instructional practices, said Paige Kowalski, the director of state policy and advocacy at the Data Quality Campaign.
The best bills, Ms. Kowalski said, establish clear responsibilities and policies for data without necessarily eliminating certain types of data from being collected at all.
"How do we ensure that the right data is collected, that there is governance to collect and share, protect, and access this information?" Ms. Kowalski said. "It's that governance piece that is so crucial."
The author of the Idaho bill that became law, Sen. John Goedde, a Republican, said that he tried to hew to a course that would protect state data and create clear areas of responsibility. He said the state school board has the capacity to help districts and set policy, and therefore the state school board should oversee data policy. (The Oklahoma law also places responsibility for securing statewide data with the state board.)
Power Over Data
Taking the approach of recently defeated legislation in Georgia, which could have cut off teachers' access to student data, would have been off the mark, Mr. Goedde said.
"It's a basic tenet of conservatism that you try to get the best bang for your dollar. And that means you have to have some way of assessing whether your education system is working. And without data, there's no way to do that," he said. "The same people that are concerned about the collection of data want accountability for their tax dollars."
Sheila Kaplan, a researcher and advocate at Education New York, helped write a proposal for creating a chief privacy officer, which eventually became part of New York state's budget deal this year. That state officer is key, Ms. Kaplan said, because he or she will be "the person who informs the public about privacy in this state."
"This bill gives districts control of the data," she said, noting that her language was separate from that of ALEC.
But legislators in some states favor that prohibitions on specific types of data, or at least on giving parents greater power over what gets shared.
In Florida, legislation that has passed the state Senate, authored by GOP Sen. Dorothy Hukill, would prohibit schools from collecting biometric data on their students, including information like fingerprints. Legislation in Kansas carries the same prohibition, and also bars schools from collecting information about the political and religious affiliations of both students and parents.
Rep. Amanda Grosserode, a Republican, who worked on that legislation in the Kansas House of Representatives, said lawmakers saw no reason not to include the ban on biometric-data collection, and that it was a preemptive measure. If in the future biometric data ends up being truly useful for instructional purposes, she added, the law can always be changed.
"This bill ended up crossing multiple ideological viewpoints. So it was supported across the spectrum," she said.Rep. Grosserode added that while the common core may have been the genesis of data-privacy worries in communities, she ultimately didn't consider the legislation a "common-core bill."
The privacy issue continues to generate great interest and—occasionally intense pushback—rooted in concerns about data breaches and a lack of understanding among parents about how their children's data might be disseminated and used.
Last month, after months of such opposition, New York state dropped its partnership with inBloom, an Atlanta-based education nonprofit that provides software to store and synthesize student records in order to improve instruction.
But the creation of a chief privacy officer in New York state and the end of inBloom's work won't satisfy the fundamental concerns some people harbor about how student data is collected and used.
Last year, state Assemblyman Daniel J. O'Donnell, a Democrat, introduced a bill that would prohibit both the state education department and districts from sharing personally identifiable student data with any third parties without parental consent. Districts could decide individually if their consent policies would require frequent or infrequent requests for consent from parents, he said.
The lingering challenge after the most recent policy changes in New York state, according to Mr. O'Donnell, is to prevent districts from entering into their own agreements through which hundreds of data points about students are used for marketing and other commercial purposes, or are stored and accessed in other inappropriate ways.
"That's where the next wave of protecting people's private information is. Do we have an expectation that what's happening in their lives, and what medications they're on, and what education they're getting ... is not stuff that should be stored forever, accessible to others?" said Mr. O'Donnell.
He rejected the argument that sensitive student data, when shared with and put to use by third parties, is truly useful for instruction. But data advocates like Ms. Kowalski say that using attendance, test scores, grades, and other data to inform "early warning systems" and ultimately help schools formulate plans to get individual students back on track is something new data laws in states should enable, not shut down. She compared such use of data to doctors who help patients switch from smoking two packs of cigarettes a day to a healthier lifestyle.
"The goal of this is not to be able to ignore you," she said.
And Ms. Kaplan argued that forcing parents to navigate how they should judge sophisticated uses of data could mean that even mundane matters like putting students on the correct school bus routes would be fouled up.
Learning as They Go
Part of the difficulty for states is that they traditionally haven't provided much support when it comes to compliance with federal regulations governing individual student data like the Family Educational Rights and Privacy Act (known as FERPA), said Bob Moore, the founder and chief consultant of RJM Strategies, a consulting firm based in Overland Park, Kan.
The concerns extend beyond the data-sharing and longitudinal systems used by districts and states. States and districts still need to work on the "widespread lack of awareness" about how online services and applications that teachers find useful might actually endanger student-data privacy.
"It's easy to blame the classroom teacher, but I don't think that's fair," Mr. Moore said.
Vol. 33, Issue 28, Pages 19,30