School officials urged federal lawmakers to update the law governing the handling and disclosure of student data, saying that it must provide more clarity to education leaders and reflect challenges educators face in the digital learning environment.
In a hearing at the House education committee Thursday, school leaders and advocates also discussed how they try to safeguard important data on children, from faculty training to limiting the type of data that’s collected.
Data privacy issues in general have become more prominent this year following revelations about the mishandling of Facebook users’ data, for example. It’s unclear to how changes to how Facebook handles data might impact K-12. But altering how federal law deals with these complicated data-privacy issues has proven to be a challenge on Capitol Hill.
Practices that rely on students’ data can “greatly enrich the student experience” and inform teachers’ work, said Rep. Virginia Foxx, R-N.C., the committee chairwoman. However, she also said in opening remarks, “Questions of privacy will always accompany any discussion of student data collection, as well they should.”
She stressed that more must be done to protect student data, including updating the Family Educational Rights and Privacy Act (FERPA), first enacted in 1974.
Various lawmakers have floated proposals to overhaul FERPA in recent years. In 2015, for example, Rep. Luke Messer, R-Ind., and Rep. Jared Polis, D-Colo., introduced a bill that was favored by school groups but made industry wary. Sens. Richard Blumenthal, D-Conn., and Steve Daines, R-Mont., also introduced a student-data privacy bill. But both bills have failed to gain significant traction on Capitol Hill.
Meanwhile, Rep. Bobby Scott, D-Va., called data protection for schools a civil rights issue, then spent a significant portion of his remarks and questions criticizing the Trump administration’s record on other civil rights issues, such as Secretary of Education Betsy DeVos’ move to reconsider Obama-era guidance concerning racial disparities in school discipline.
Other Democrats including Reps. Suzanne Bonamici of Oregon and Marcia Fudge of Ohio picked up on this theme, highlighting that Thursday was the 64th anniversary of the Brown v. Board of Education decision from the U.S. Supreme Court that overturned laws establishing segregated schools. Catherine Lhamon, the assistant secretary for civil rights at the U.S. Department of Education in the Obama administration, told the committee that there is overlap between data privacy and civil rights when it comes to issues like protecting transgender students, for example.
Other witnesses focused on the technical and practical concerns they have around student-data privacy.
There were four billion attempted attacks on Kentucky schools’ data infrastructure in the past academic year, said David Couch, the K-12 chief information officer at the Kentucky Office of Education Technology. In addition, he said, there’s been an 85 percent increase in phishing attacks over the past year, and these attacks are becoming more targeted at relevant officials. At the same time, he said, most data breaches are accidents, ranging from mistakenly posting students’ personally identifiable information to school staff falling for phishing emails.
“Everyone has a role to play in maintaining security,” Couch told lawmakers. He also echoed Foxx’s call to update FERPA: “The law was written so long ago that it’s not relevant in the digital world, it’s not as relevant.”
He also recommended a “healthy data diet” for schools, in order for them to assess what student data they actually need and reduce the possibility that superfluous data is unnecessarily exposed. “You’ve got to spend a lot of time as a state working with your districts and your schools about the value of it,” he said.
Some progress has been made at the state level, said Amelia Vance, the director of education policy at the Future of Privacy Forum. Since 2013, 39 states have passed 119 bills focused on student-data privacy, she said. But policies that are supposed to govern how private companies handle the unique needs of schools are still an issue, she added. “We often see cookie-cutter contractual terms that are inappropriate” for the education environment, Vance said.
Twenty states, she noted, have passed laws prohibiting third-party vendors from targeting ads to students, from creating profiles of them, and from selling that information.
As for FERPA, Vance said plain and clear language would be crucial for any updated law, which should also rely on actions states have taken: “Many of the issues that come up with FERPA are because you have to go back and forth between the statute and regulations and guidance, and apply it to situations that weren’t imagined when the law originally passed.”
Gary Lilly, the superintendent of the Bristol Tennessee City district in Bristol, Tenn., said his district has hired a service that leads administrators through a questionnaire that helps inform practices and responses to data breaches. He also said he focuses on how data is stored, who has access of it, and how it’s disposed of at the end of any contract with a service provider.
Lilly also noted that his district recently bought a cyber-protection insurance policy, but prays he never has to use it. Rep. Lloyd Smucker, R-Pa., subsequently raised concerns that such insurance policies could ultimately provide an incentive to bad actors. Lilly responded that the insurance policy allows them to explore various issues and isn’t designed to just cover incidents in his district after the fact.
“Currently, there is considerable confusion regarding what must, may, or may not be disclosed,” Lilly said. And like Couch, he said those working in schools must be trained and take responsibility: “They’ve got to protect their own data and privacy.”
Image: Copyright Getty