In March of 2020, the COVID-19 pandemic changed education in ways never before seen, as suddenly most students began taking remote classes exclusively. Even now, more than a year later, students of all ages are returning to classrooms that are incorporating more technology than ever before. On August 11, 2021, the Future of Privacy Forum hosted the Federal Student Privacy Summit to spread knowledge to students, parents, and school staff on best practices for protecting student privacy. One event at this summit was the “Regulating State and Local Education Agencies” panel, which offered valuable information on best practices for managing students’ data and implementing privacy policies at the state and local levels.
This panel was moderated by Noelle Ellerson Ng, Associate Executive Director of Advocacy and Governance at the American Association of School Administrators. The panelists included Rachel Anderson, Director of Policy and Research Strategy at Data Quality Campaign, Lorrie Owens, Chief Technology Officer at the San Mateo County Office of Education, and Whitney Phillips, Chief Privacy Officer for the Utah State Board of Education.
The first key takeaway for stakeholders is that school staff overwhelmingly want to do the right thing and protect student data but often lack the necessary support. Rachel Anderson noted the difficulties imposed on school staff when new guidelines emerge without any additional assistance. Teachers are already required to do a lot with very little support, and giving them additional responsibilities without additional funding or training hasn’t proven to be effective in the past. Whitney Phillips noted that while every district in Utah is required to have a plan for protecting student data, a staff team of only four people at the Utah State Board of Education is responsible for evaluating the more than 40 plans from Utah school districts. Lorrie Owens also pointed out the frequent miscommunications between policymakers and those who are expected to carry out policies; policymakers will occasionally demand that schools and districts carry out practices for which they don’t have the technology or capacity.
The panelists also noted that federal policy on student data privacy isn’t cohesive. “COVID exposed some technical failures with FERPA,” Whitney Phillips observed, when commenting on the many challenges districts faced in complying with the federal law during the abrupt switch to remote learning. Lorrie Owens saw a similar challenge, as districts did not know how to provide a home-based education that complied with FERPA, and school staff weren’t always aware of which state or district policies they had to follow. Student privacy bills tend to pass without much public awareness, leaving school staff in the dark as to what guidance they need to follow. Rachel Anderson also remarked that most privacy policies reflect the intent to punish school staff after data privacy has been breached, rather than to prevent data breaches.
The panelists also had many suggestions for improvements. First on the list? Policymakers and other privacy stakeholders should provide funding for supplemental technology and training when issuing new privacy guidance. Rachel Anderson remarked that when it comes to student data protection, “most lapses come from human error.” Usually when student data is breached, it is because someone reused a password, stayed logged in on a shared computer, or didn’t use two-factor authentication. Training school staff on best practices is vital to protecting student data. Lorrie Owens concurred, noting that this training should be ongoing, not just something offered once to each educator. Instead, privacy training should continually keep school staff up to date on best practices for securing student data. Whitney Phillips suggested that districts follow Utah’s lead and have a designated student data-protection authority on staff. This would allow school staff to have meaningful dialogue with someone about the implications of privacy policies, without overwhelming state officials. As one of only four states that has a chief privacy officer, Utah is well ahead of the curve on student privacy protection.
Lastly, the panelists suggested policy reforms that fit the new hybrid digital education landscape. Whitney Phillips made the astute point that our current data policies are structured to protect student records, and called for policy that’s more “nimble and seeking to protect students rather than records.” Lorrie Owens expressed the need for policies that are more “cohesive” and work together to protect students, rather than offering conflicting guidance. Rachel Anderson, emphasizing her point about human error, said she wanted to see policies that focused on supporting school staff to prevent breaches, rather than solely punishing them when breaches happen.
During the discussion, these brilliant panelists offered numerous invaluable resources, which are listed below. Readers can also find links to the other events held during the Federal Student Privacy Summit.
- Data Quality Campaign’s Infographic: Who Uses Student Data?
- Utah’s Student Data Privacy Website, student privacy training videos, and student privacy laws
- The California Student Data Privacy Guidebook
- USED’s Privacy Technical Assistance Center
- The Student Data Privacy Consortium
- Data Quality Campaign’s Coalition Letter on Emergency Funding for Data Systems