An invitation for comments on student data privacy
The National Association of Secondary School Principals has an initiative to provide policy recommendations to ensure the protection of student data privacy and appropriate use of student data to improve teaching and learning in the classroom.
This initiative is of particular interest in that the NASSP is opening their statement to public comments. We often ask for our voices to be heard in the student data privacy debate and this is an opportunity to submit comments and ideas.
Technology is making it easier for schools and States to collect and analyze data to help them make informed decisions on issues that need to be addressed and what is working in schools. Even though this provides valuable information, we must ensure that the guidelines established adequately protect student privacy. The preliminary statement has interest recommendations. In particular the section “Recommendations for School Leaders” as it focuses on communication and transparency. It asks that district policies related to student data are communicated to teachers and parents and that teachers are educated about the use of online educational services. These recommendations address some of the main concerns parents and school districts have.
The full text is below or you can read it here
Please consider making comments to the initiative. Parent feedback can provide deep insights into the student data privacy debate. This is an opportunity to offer our perspective. The comments section is open through January 7th, 2015.
Student Data Privacy
The NASSP Board of Directors stated on November 7, 2014 its intention to adopt the following position statement, following a 60-day comment period. NASSP members and others are invited to submit comments on this statement by January 7, 2015 to[email protected]. The Board will include public comments as it deliberates final adoption of the statement at its February 2015 meeting.
To provide policy recommendations to ensure the protection of student privacy and appropriate use of student data to improve teaching and learning in the classroom.
Data-driven decision-making has become a tenet of high-performing schools and is essential to transforming teaching and learning in the classroom. The Alliance for Excellent Education says that the “effective use of data and learning analytics are both critical components of a digital learning strategy to personalize learning for many more students, especially to increase student retention and achievement in the highest-need schools (page 2).” Narrowing achievement gaps and assisting all students to be college and career ready upon high school graduation have economic implications as well. In a report examining the potential of the use of data in education, the McKinsey Global Institute estimates “the potential value from improved instruction to be $310 billion to $370 billion per year worldwide, largely through increased lifetime earnings (page 22).”
Technology has made it easier for principals and teachers to collect and analyze data at the school level, and districts and states are now creating longitudinal database systems to help them make structural changes in education that will have a greater impact on more students. For this reason, educators at all levels are authorizing third-party vendors to have access to student data. These vendors offer services that purport to assist educators in communicating with parents—improving the quality of education programs, providing supports and services for students, and providing secure data storage. In fact, every electronic device and application with a connection to the Internet could potentially be used to collect or access student data.
While the collection and analysis of student data is essential to the teaching and learning process, this must be done within parameters that protect the privacy of students and ensure that their data is used only for legitimate educational purposes. The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and generally prohibits schools from disclosing personally identifiable information in students’ education records without consent. There are exceptions to the consent requirement, including one that allows the disclosure of such information to “school officials” for educational purposes. This particular provision was expanded in 2008 when the US Department of Education approved new regulations clarifying that third-party vendors (such as those who help manage school databases or provide digital curriculum) can be included within the school official exception. While third parties must be under the direct control of the school in terms of how they use and maintain the records and only use the records for the purposes for which they were shared, there is some concern that there are still gaps in the protection of student data. Overall, while most policymakers and educators understand the value of data collection in improving educational quality, there is some concern that FERPA itself, as well as the accompanying regulations, have become outdated in the new digital age.
In 2014, a congressional hearing was held to address student data privacy issues and a Senate bill was introduced to update FERPA and clarify that third parties are forbidden from using student information for marketing and advertising purposes. Fourteen states also enacted laws to strengthen student privacy protections, and the National Conference of State Legislatures reports that more than 100 student privacy bills were introduced in 36 states. Each principals’ full understanding of and familiarity with federal, state, and district policies on data collection and student privacy requirements are essential as this issue further develops.
NASSP believes that data has the power to transform teaching and learning by helping educators identify and provide supports to all students, assisting teachers and school leaders in improving their instructional practices, and informing schoolwide improvement activities.
NASSP believes that student data should only be used for the purpose of informing education policy, practice, and research and to deliver educational services to students.
NASSP believes that technology-enhanced data collection and analysis can assist schools in the planning and delivery of a student-centered, personalized, and individualized learning experience for each student—a fundamental tenet of theBreaking Ranks framework for school improvement.
Recommendations for Federal Policymakers
- Develop policies on the use of student data that balance privacy and property protection with the need to improve teaching and learning
- Require strong encryption standards for any federal agency or vendor that is collecting and/or storing sensitive student data
- Provide guidance to states regarding the collection, storage, security protections, and destruction of student data
- Provide funding to states and districts to help them address privacy issues related to student data
- Ensure that personal information and online learning activities are not used to target advertising to students or their families
- Limit nonconsensual access to personally identifiable student data to school, district, or state educational agency employees.
Recommendations for State Policymakers
- Establish a statewide data security plan to address administrative, physical, and technical safeguards
- Develop data breach notification policies for districts and schools
- Identify a state-level official who is responsible for privacy, data security, and compliance with all federal and state privacy laws and regulations
- Develop policies on data collection, storage, and access to ensure that student data collected through statewide longitudinal data systems is protected from inappropriate sharing or use
- Provide guidance to districts and schools regarding the collection, storage, security protections, and destruction of student data.
Recommendations for District Policymakers
- Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach
- Ensure that data security practices include proper data deletion and disposal, including purging of electronic data, shredding physical documents, and destroying the presence of all data on old electronic equipment where data has been stored
- Identify a district privacy officer who is responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data
- Provide training for all district staff to ensure they understand basic legal requirements, their responsibilities, and specific district policies concerning student data
- Ensure that principals receive training on policies and procedures that support prevention of—and specify steps to be taken in the event of—a data breach. This should include procedures to notify authorities, parents, and other community members
- Educate district staff about online educational services (paid and free) and how to determine whether they comply with FERPA and state and district regulations
- Coordinate an annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, or procure and contract with service providers
- Ensure that all third-party vendors that collect or have access to student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information, and prohibit redisclosure of personally identifiable information without parental consent
- Establish a policy whereby all data created by students, teachers, and other school staff is an “education record” in order to maintain control of how outside providers may access the data
- Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding
- Prior to using online educational services, ensure that the contract or “terms of service” contain all necessary legal provisions governing access, use, protection, and destruction of student data
- Ensure that agreements with outside providers include provisions allowing direct and indirect parental access to student data
- Ensure greater transparency by posting on district and school websites all policies governing the outsourcing of school functions and contracts with outside providers
- Make available a list of online educational services or apps that are used within the district.
Recommendations for School Leaders
- Familiarize yourself with FERPA, state, and district regulations concerning student data privacy
- Consult with your school district attorney to ensure that any technologies and third-party vendors used by the school comply with FERPA and district requirements
- Communicate district policies related to student data collection and usage to your teachers and parents
- Ensure that your teachers have been educated about the use of online educational services and encourage them to use ones approved by the district
- Clearly communicate third-party vendors’ privacy, security, and breach and indemnification policies to parents about personally identifiable information that is shared with those vendors.