A spate of recent laws and policies intended to better protect the privacy of students’ sensitive information don’t go nearly far enough, according to researchers concerned about commercialization in public education.
“Computer technology has made it possible to aggregate, collate, analyze, and store massive amounts of information about students,” according to a new report from the National Education Policy Center, based at the University of Colorado, in Boulder.
“This has opened opportunities for private vendors to access student information and share it with others. Further, the computerization of student work offers opportunities for companies that provide education technology and educational applications to obtain and pass on to third parties information about students.”
The report, titled “On the Block: Student Data and Privacy in the Digital Age,” is the latest in a series from the NEPC on “schoolhouse commercializing trends.” The group has consistently released reports critical of the private sector’s role in public education.
Its authors, Alex Molnar and Faith Boninger, both University of Colorado researchers, recommend that legal protections be extended beyond students’ formal educational records to include the wide range of student data—including anonymous information and “metadata,” such as what type of device a student is using or where they are accessing the Internet—that is now frequently collected and shared by ed-tech companies.
The researchers also recommend that the legal burden to protect students’ information be shifted to include vendors, as well as schools and districts.
Dozens of student-data-privacy related state laws have been passed in recent years, and the U.S. Congress is currently poised to consider both a new federal “Student Data Privacy and Parental Rights” act and amajor revision to the nation’s primary existing student-privacy law, the Family Educational Rights and Privacy Act, or FERPA.
A number of groups, including the U.S. Department of Education, have also in recent months issued guidance, principles, and toolkits aimed at helping schools make sense of the complex student-privacy landscape. And more than 120 companies have now signed on to a voluntary pledge to protect student information, put forth by the Future of Privacy Forum, a think tank, and the Software & Information Industry Association, a trade group.
The NEPC report calls such efforts “steps forward,” but says “key privacy issues remain unresolved.”
The researchers’ review of state laws in particular found concerns about what student data is protected, the rights afforded to parents and students to review and correct the information about them that is being held by third parties, and a frequent lack of explicit limits on the use of educational data for commercial purposes.
A trifecta of laws passed in California— especially the Student Online and Personal Information and Protection Act, or SOPIPA—were praised by the NEPC for their expansive definition of the student data to be protected and their restrictions on commercial use of student information.
The NEPC report also recommends that:
- The federal Children’s Online Privacy Protection Act, or COPPA, be amended to expand its protections to include 14 year-olds (instead of stopping at age 13)
- FERPA be amended to provide parents with a private right of action (e.g., to sue when their children’s privacy is violated)
- Schools and districts adopt more rigorous contracting practices, including requirements that vendors “specify in advance the purpose for which any given piece of information is collected,” “limit the use of that information to its original intended purpose,” and “require that the data be destroyed after serving its specified purpose.”
A Student Data Privacy Bill of Rights issues by the nonprofit Electronic Privacy Information Center should serve as a guide, the NEPC researchers suggest.
A version of this news article first appeared in the Digital Education blog.