From President Donald Trump’s plans to shutter the U.S. Department of Education to threats of federal funding cuts for diversity, equity, and inclusion initiatives, people who work in K-12 education are scrambling to keep up with all the education-related executive orders coming out of the White House.
One additional concern that educators are now trying to make sense of is the protection of sensitive data for teachers and students, experts say.
Education Week spoke with three experts in data privacy and security to find out how proposed policies, such as dismantling the U.S. Department of Education, and government-slashing actions by the Department of Government Efficiency, could affect the privacy and security of teachers’ and students’ data.
For this story, Education Week spoke with Linnette Attai, the president of PlayWell, a data privacy consulting firm that works with education clients; Elizabeth Laird, the director of equity in civic technology at the Center for Democracy and Technology, a nonprofit focused on technology policy and consumer rights; and Lisa LeVasseur, the director of Internet Safety Labs, a nonprofit group that researches tech product safety and privacy, including education technology products. They said are three main concerns that educators should be aware of:
- The risk to educators’ personal data through financial aid systems that store the data of people who have taken out federal student loans to pay for college.
- How AI is being used to analyze personal data to make decisions about federal government cuts.
- What happens to the Family Educational Rights and Privacy Act, or FERPA, if the Education Department is dismantled.
How people who have taken out student loans to pay for college are at risk
President Donald Trump, through executive action, has given the Department of Government Efficiency, or DOGE, a broad mandate to slash trillions in government spending. (Despite its name, DOGE is not a Cabinet-level agency; it is an office run by billionaire and tech entrepreneur Elon Musk, who holds special government employee status.)
In response, the American Federation of Teachers and two other labor unions have sued the Education Department, accusing it of violating federal privacy laws by granting DOGE access to the agency’s data systems, which include sensitive information about student loan borrowers, including many current educators who have received those loans.
Anyone who works in schools and has received student loans or financial aid from the federal government should be concerned, said Laird. (A federal judge has blocked DOGE from accessing such data through March 10.)
“For the most part, the U.S. Department of Education does not collect personally identifiable information about [K-12] students,” she said. But the data the department collects and maintains to award financial aid for higher education are extensive.
“It is very personal information,” Laird said. “It includes not just a [college] student’s legal name, but it can also include their Social Security number, it includes tax records, for which there are additional legal protections beyond the blanket federal privacy law.”
It’s important to underscore that, so far, there has not been a known breach or leak of people’s personal data because of DOGE’s work. But data this sensitive require careful, expert care, said LeVasseur.
“[DOGE] seems to be staffed by people who maybe are not specialists for this undertaking,” she said. “From what I have seen about the experience levels and backgrounds of people who have been named in articles, they do not have the kind of depth of experience for this kind of thing.”
The more people who have access to the data and the more times it is transferred, the greater the risk of bad actors accessing it. There have also been media reports that some DOGE staffers are using non-government-issued devices and on WiFi networks with weaker security protocols, which also pose increased security risks, said Laird.
This can have serious real-world implications for people. These data are highly valuable to criminals who can use the information to steal identities, take out loans, open credit cards, and apply for government benefits in victims’ names—to list just a few examples. There is a thriving market for this kind of information on the dark web.
How DOGE is using AI tools and why it matters
As part of DOGE’s mandate to slash funding, the Trump administration revoked hundreds of millions of dollars in contracts funded by the Education Department, most stemming from the agency’s research arm and others related to diversity, equity, and inclusion programs.
To streamline this work, DOGE staffers have reportedly used undisclosed AI tools to analyze programs to identify cost-cutting opportunities at the Education Department, feeding sensitive personal data of department employees into the AI in the process, according to The Washington Post.
This matters, said Larid, because many AI-powered technologies are often unreliable and could leak or share sensitive data that has been entered into them.
“AI can be flat-out wrong, it can reflect biases, it can introduce new security issues,” she said. “It’s being used for some of the highest stakes decisions [...] that includes who should lose their jobs, what grants should we cut? Things that have a direct impact on the ability of the K-12 and higher education sectors to do their job, with a tool that has known limitations.”
How the dismantling of the Ed. Dept. could make data privacy laws ineffective
The Education Department is the enforcer of federal student data privacy laws, including FERPA and the Protection of Pupil Rights Amendment, or PPRA. Those laws govern how education agencies that receive federal funding may collect and share students’ personally identifiable information.
So, if the Education Department were dismantled, those data privacy laws would still exist, but there wouldn’t be an enforcement authority behind them, unless Congress gives the authority to another federal agency, said Attai .
“What is a law without an enforcement mechanism? It’s just words,” Attai said. “Without repercussion, without guidance on how to implement it, over time, it loses its meaning.”
Many states have their own student data privacy laws, and while some of those laws reiterate FERPA provisions, more often they just fill in the gaps of the federal policy. For instance, state privacy laws might address how education agencies can share student data with technology providers, but they don’t address sharing of student data for academic research or with health care providers or law enforcement because FERPA already covers those elements.
Could states fill in the gaps of protecting student data privacy if the Education Department is dismantled?
Yes, said Attai. But it would be “an incredibly long road, and we would very likely be left with a patchwork of legislation that leaves meaningful gaps in our ability to properly educate students” and measure the efficacy of their education, she said.
Finally, LeVasseur is concerned that under the current administration there will be less federal oversight of education technology companies and how they are handling student data. Many companies in this space, such as PowerSchool, which recently made headlines for a data breach, collect massive amounts of data on students.
“We already have an under-scrutinized industry,” she said. She pointed to the federal law that regulates how companies can use children’s data gathered online, the Children’s Online Privacy Protection Act’s “Safe Harbor” provision.
“It only does one thing. It pretty much makes sure that the apps don’t have any behavioral ads in them. But it doesn’t check for data sharing with many other entities. We don’t have great protections for child and student data in the first place.”
