Major possible revisions to the Family Educational Rights and Privacy Act were debated in the U.S. House of Representatives Wednesday, even as new federal student-data-privacy legislation proposed by the White House continues to inch forward.
“Despite the advent of computers, the Internet, Wi-Fi, and cloud services, the law has not been significantly updated since its introduction in 1974,” said Representative Todd Rokita, the Indiana Republican who chairs the House education subcommittee that hosted a Wednesday hearing on “How Emerging Technology Affects Student Privacy.”
“Unless Congress updates FERPA and clarifies what information can be collected, how that information can be used, and if that information can be shared, student privacy will not be properly protected,” Rokita said.
Joel Reidenberg, a privacy expert and law professor at Fordham University in New York, told the lawmakers that Congress should focus primarily on improving four aspects of the existing law:
- Expanding the legal definition of an “educational record” to include the digital data and metadata generated by software, websites, apps, and online learning platforms, among other information. In written testimony, Reidenberg cited student homework shared with a teacher via a third-party tool and information kept by a transportation company about where children wait to take the school bus as examples of potentially sensitive data that are not currently protected under FERPA.
- Expanding FERPA to apply to vendors, not just educational agencies. This is particularly important given the typically weak contracts that districts have with ed-tech vendors and the increasing efforts by vendors to market directly to teachers who may unwittingly violate FERPA by using certain products, Reidenberg said in his written testimony.
- Including a “graduated,” enforceable series of penalties for FERPA violators, and allow individual families a private right of action. The only sanction currently available—withholding federal funds to schools—is a “nuclear option” that has never been exercised, Reidenberg said. An escalating series of fines depending on the severity of the violation might be better, he argued.
- Including requirements around data security standards and notification of data breaches. As the New York Times reported this week, many ed-tech companies fail to employ even basic security protocols, an issues that is not addressed in the current law.
Other testimony focused on ensuring that schools are not subjected to onerous new requirements (Sheryl Abshire, chief technology officer of the 32,000-student Calcasieu Parish Public Schools in La.); improving parental notifications and better involving parents in understanding what data is being collected on their children and how it is being used (Shannon Sevier, Vice President of Advocacy for the National Parent Teacher Association, based in Alexandria, Va.); and finding the appropriate balance between protecting privacy and supporting industry innovation (Allyson Knox, the director of education policy and programs for Microsoft.)
Among the House members expressing interest in possible FERPA updates were Colorado Democrat Jared Polis and Indiana Republican Luke Messer. The pair was instrumental in the development of a voluntary industry pledge to protect student privacy that has now been signed by more than 100 companies. They have also said they will soon introduce new federal student-data-privacy legislation that broadly aligns with thepriorities recently outlined by President Barack Obama.
Potential revisions to FERPA could occur alongside passage of a new law, Messer indicated during the hearing.
A bill that would update FERPA, but not go nearly as far as the recommendations issued by Reidenberg and other privacy advocates, was introduced in the Senate last June, but has yet to receive a vote.
New student-data-privacy measures were enacted in 21 states during 2014 legislative sessions.
Photo: U.S. Rep.Todd Rokita, pictured here at an Indiana Republican party rally in 2012, chaired a House subcommittee hearing on student data privacy Wednesday. --Darron Cummings/AP
A version of this news article first appeared in the Digital Education blog.