By guest blogger Sara Gilgore
The World Privacy Forum, a public-interest research group focused on privacy protection, has launched a campaign urging parents to “opt out” of allowing schools to release “directory” information—student data the organization says schools could otherwise disclose to third-parties who request access.
Directory information could include a child’s name, address, telephone number, birthday, honors, and awards, according to the U.S. Department of Education’s Family Educational Rights and Privacy Act, which protects student education records.
The federal law, known as FERPA, says schools may share directory information “without consent,” but also gives parents and eligible students who are at least 18 years old the right to prevent schools from releasing this information.
Some of the most common uses of directory information are for school photos, yearbooks, class rings, and sports programs. Directory information refers to “very detailed personal information” that can become publicly exchanged data if a school is covered by FERPA and chooses to share it, said Pam Dixon, Executive Director of World Privacy Forum. Data brokers may get this information from schools and then publish it for sale, after which students may be at risk for identity theft, or have unwanted marketing or advertising directed at them, as my colleague, Ben Herold, explained in a recent story.
“Most parents and students are completely unaware of this,” Dixon said. “We deal with the consequence of that every year.”
Schools must notify parents of their rights each year under FERPA, but because many schools have outdated notices, many parents don’t exercise their opt-out right, Dixon said. However, schools cannot release this information if the appropriate paperwork is on file.
Still, many parents miss or overlook the opportunity. Though they typically receive their notice with other forms at the beginning of each academic year, schools don’t always explain what this notice is, in some cases because they lack the time or capacity, said Jules Polonetsky, executive director of the Future of Privacy Forum, a Washington, D.C.-based think tank that supports responsible data practices.
“Doing more requires being an expert and understanding the rules, which not all schools understand, and having [the] time and bandwidth to clearly explain this to parents,” Polonetsky said, “so it has been one of the things that falls by the wayside.”
Because there is also a limited amount of time for parents to complete the opt-out process each year, according to Dixon, many confront privacy problems only when it is too late. World Privacy Forum launched its campaign this year to “be proactive, get the word out, and try to encourage parents to really take care of this problem,” Dixon said. The San Diego-based organization took to Twitter with the hashtag, #OptOutKids, produced a video, and created a sample opt-out form in an effort to simplify the process for parents.
As the school year begins, the Future of Privacy Forum also published a guide for parents about student privacy, which Polonetsky said he hopes “will help schools get the information to parents who can then make smart decisions.”
As parents have raised data-privacy concerns, state and local policymakers have sought to toughen protections of student information. At the same time, some industry groups and tech providers have warned that overly strict restrictions will stymie classroom innovation that comes through data collection and analytics.
A common misconception among parents is that opting out under FERPA is an all-or-nothing decision; rather, parents can allow schools to share data for certain purposes and not others.
“What we hope is that schools will do more to give parents nuanced choices,” Polonetsky said, and ensure that “broad, wide, unknown sharing of data is curtailed.”
In addition, not all schools handle directory information in the same way. Some schools tell parents for what purposes they will share information, in which case it might not be necessary to opt out of everything. But “most schools are going to allow that information to third parties, and pretty much anyone who asks, and that’s the problem,” Dixon said.
Much of the privacy debate in recent years has focused on which vendors hold school information, or what happens to student data when sent to the state for analytics, Polonetsky said. But very little attention has been paid to whether child data can be shared publicly.
“This certainly should be the first area that anybody who is worried about privacy considers and thinks about,” he said.
- ‘De-Identifying’ Student Data Is Key for Protecting Privacy
- Danger Posed by Student-Data Breaches Prompts Action
- Five Principles for Securing Student-Data Privacy
- State Lawmakers Balance Concerns on Student-Data Privacy
- ‘De-Identifying’ Student Data: Next Front in the Privacy Wars?
for the latest news on ed-tech policies, practices, and trends.
A version of this news article first appeared in the Digital Education blog.