Student Data: Trust, Transparency, and the Role of Consent

Student Data: Trust, Transparency, and the Role of Consent

FERPA and Choice

The Family Educational Rights and Privacy Act (FERPA) is the chief federal law that protects student privacy. Enacted in 1974, the law was designed to address “frequent, even systematic violations of the privacy of students and parents by the schools . . . and the unauthorized, inappropriate release of personal data to various individuals and organizations.”42 The law specifically gives parents the right to access and challenge incorrect school records about their children.43

The structure of FERPA contemplates where and when offering choice and requiring consent is appropriate. As a general rule, disclosing student data contained in educational records is prohibited without written consent. However, there are a number of important exceptions that to permit schools to disclose personally identifiable information (PII) from education records without consent.44 These exceptions largely track how we categorized the types of activities that schools are engaged in.

School Officials under FERPA
FERPA allows schools to share data with entities they designate as "school officials."
Service providers may be designated school officials if they:
Perform institutional functions for which the school would otherwise use its own employees.
Function under the direct control of the school or district with respect to the use and maintenance of education records.
Use any student information only for purposes authorized by the school.
School Officials: Administrative and Instructional Uses

In order to facilitate basic educational activities, FERPA allows for data to be shared among school officials without parental consent. Because FERPA lacks an explicit “data sharing” provision,45 schools rely on an exception that allows for disclosures of student information to entities designated as“school officials.”46 School officials are engaged in the core administrative and instructional activities of education, and they can include contractors, consultants, and even approved volunteers to whom a school has outsourced institutional services or functions.47 As a result, tutors, cafeteria services, and increasingly, information technology providers receive data under the school official exception.

These outside parties, however, can only be considered as a “school official” if they meet certain requirement.48 First, they must perform an institutional function for which the school would otherwise use its own employees. Second, the vendor needs to be under the direct control of the school or district with respect to the use and maintenance of education records. Finally, the outside party must use any student information only for authorized purposes and cannot re-disclose PII from educational records for any other purpose. These restrictions are generally established by a written agreement with the school, and the use of student data for a third party’s own marketing activities cannot be considered a “legitimate”educational interest.49

By sharing data with a vendor or other school employee under the “school official” exceptions, the school does not grant unlimited access to education records.50 The outside party must have a legitimate educational interest in the educational records. Schools or districts must establish criteria as to what constitutes a “legitimate educational interest,” and provide this information to parents and students in an annual notification of FERPA rights.51 The existence of a legitimate educational interest can be determined on a case-by-case basis.52

Audit or Evaluation Exception: Student Assessment

In order to facilitate educational reporting requirements and to provide educators with the information needed to assess and evaluate education programs supported by state or federal funding, the audit or evaluation exception allows schools to share student data without consent.53 The Department of Education has clarified that this exception allows schools to engage with outside service providers to help run and support state-wide longitudinal data systems.54

As discussed above, student assessment data is essential to evaluating not only student performance, but the quality of education generally. Longitudinal analysis promises to more accurately capture students’ educational gains by following student performance over time – and this data allows schools to adapt to the educational needs of students transferring from school system to school system.55

In order to safeguard student privacy, FERPA regulations mandate that schools have written agreements with anyone receiving student data under this exception. While these agreements over schools a degree of flexibility, any written agreement must require that any personal information be destroyed upon completion of any evaluation or audit as well as require the implementation of policies and procedures to protect student data from any unauthorized uses.56

Directory Information: Optional and Non-Educational

Another exception to FERPA allows schools the discretion needed for companies that sell students class rings or yearbooks.59 Offering parents these sorts of controls over directory information makes sense. Sharing this sort of information is optional and not essential to a school’s educational mission.

Type of UseExampleFERPA Disclosure Exception
AdministrativeCourse scheduling, school busing“School Official”
InstructionalOnline homework, learning apps“School Official”
Assessment and MeasurementStandardized tests, course assessments“Audit or Evaluation”
Optional and Non-EducationalSchool yearbooks, PTA fundraising“Directory Information”

While privacy critics and some parent groups are worried that a lack of clarity in FERPA potentially allows for the sharing and use of student data for inappropriate marketing purposes, sharing of directory information has been singled out as particularly problematic.60 Critics worry that parents either do not read or routinely ignore FERPA notices,61 and as a result, parents are unaware of their options for the disclosure of directory information. However, schools are not obligated to make directory information available to any entity that requests it. In 2011, responding to the fact that some school districts had no directory information policies in place, the Department of Education released new guidelines that clarified that schools and districts could limit either who can access directory information or what they can do with this data.62

Protection of Pupil Rights Amendment (PPRA) 

Similarly, the Protection of Pupil Rights Amendment (PPRA) restricts non-educational uses of student data by offering parents additional choices.63 It augments the protections of FERPA by giving parents an opportunity to review curriculum materials as well as requires explicit parental consent before students can participate in any kind of government-funded survey, analysis, or evaluation covering particularly sensitive topics ranging from political and religious affiliations to sexual attitudes and behaviors.64

It also addresses explicit marketing activities in schools. Schools are required both to warn parents in advance of any collection of data from students for marketing, and provide parents with an opportunity to review in advance and opt-out of any specific marketing efforts.65 Yet PPRA recognizes that some marketing activities are also educational, and it shows how notice and opt-outs could hamper many activities that teachers as well as policymakers support.

As a result, it excludes from PPRA’s general marketing protections the following: (1) college, postsecondary education, or military recruitment; (2) book clubs, magazines, or other programs providing access to low-cost literacy products; (3) curriculum and instruction materials; (4) tests and assessments used to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students; (5) the sale by students of products for school or education- related fundraising; and (6) student recognition programs.66

  1. By the Numbers – How Data Use Is Transforming the Classroom, Education Northwest (Spring/Summer 2011), http://educationnorthwest.org/resource/1642.
  2. Arne Duncan, U.S. Sec. of Ed, Robust Data Gives Us the Roadmap to Reform, Address at the Fourth Annual IES Research Conference (June 8, 2009), http://www2.ed.gov/news/speeches/2009/06/06082009.html.
  3. U.S. Dep’t of Ed., Use of Education Data at the Local Level: From Accountability to Instructional Improvement (2010), http://www2.ed.gov/rschstat/eval/tech/use-of-education-data/use- of-education-data.pdf.
  4. Common Sense Media, National Poll Commissioned by Common Sense Media Reveals Deep Concern for How Students’ Personal Information Is Collected, Used, and Shared (Jan. 22, 2014), https://www.commonsensemedia.org/about-us/news/press-releases/national-poll-commissioned-by- common-sense-media-reveals-deep-concern; Natasha Singer, Schools Use Web Tools, and Data Is Seen at Risk, N.Y. Times (Dec. 12, 2013), http://www.nytimes.com/2013/12/13/education/schools-use- web-tools-and-data-is-seen-at-risk.html.
  5. Julia Freeland & Alex Hernandez, Clayton Christensen Institute, Schools and Software: What’s Now and What’s Next? 28 (2014), http://www.christenseninstitute.org/wp- content/uploads/2014/06/Schools-and-Software.pdf.
  6. President’s Council of Advisors on Sci. and Tech., Exec. Office of the President, Report to the President: Big Data and Privacy: A Technological Perspective xi (May 2014), http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_- _may_2014.pdf.
  7. Andrew Ujifusa, Student-Privacy Protection Focus of New York State Legislation, EdWeek (June 17, 2013), http://blogs.edweek.org/edweek/state_edwatch/2013/06/student- privacy_protection_focus_of_new_york_state_legislation.html.
  8. Managing Data Security and Privacy Risk of Third-party Vendors, Grant Thornton (2011), http://www.grantthornton.com/staticfiles/GTCom/Health%20care%20organizations/HC%20- %20managing%20data%20-%20FINAL.pdf.
  9. Because schools can generate a wide variety of data, we recognize that there are different understandings of what properly constitutes “student data” and that some of this information may go beyond what federal privacy laws cover or how student’s personally identifiable information (PII) is defined. While businesses and advocates broadly agree that protections are necessary for PII collected in the course of schooling, debate exists around under the sensitivity of metadata or various forms of aggregated or de-identified information. When we use student data in the context of this paper, we mean data captured by FERPA education records as well as other potential PII where general consensus suggests additional protection is needed.
  10. We recognize that this categorization may not provide a comprehensive taxonomy of data use in schools. For example, the Center of Law and Information Policy proposed breaking down the types of cloud services used by schools into seven categories, including school functions, classroom functions, student reporting and guidance. Joel Reidenberg et al., Privacy and Cloud Computing in Public Schools, Center on Law and Information Policy 17 (2013), http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1001&context=clip. However, categorization provides a starting point to conceptualize student data use and consent generally.
  11. Julia Freeland & Alex Hernandez, Clayton Christensen Institute, Schools and Software: What’s Now and What’s Next? i-ii (2014), http://www.christenseninstitute.org/wp- content/uploads/2014/06/Schools-and-Software.pdf.
  12. Alan Schwarz, Mooresville’s Shining Example (It’s Not Just About the Laptops), N.Y. Times (Feb. 12, 2012), http://www.nytimes.com/2012/02/13/education/mooresville-school-district-a-laptop- success-story.html.
  13. Michelle R. Davis, Schools Use Digital Tools to Customize Education, EdWeek (Mar. 14, 2011), http://www.edweek.org/ew/articles/2011/03/17/25overview.h30.html
  14. A context-based approach to privacy was first explored by Professor Helen Nissenbaum, and the principle endorses evaluating data use based upon what individuals might expect given the circumstances of collection. It has since been embraced by the White House’s Consumer Privacy Bill of Rights.
  15. While student data should be used to the benefit of the students, we must recognize that the analysis and use of student data may only indirectly benefit individual students. Use of student data for assessment and measurement may provide a bigger benefit to teachers and school systems and ultimately society at large than it will for any individual student. When it comes to data projects, better data benefit analysis is warranted.
  16. Analyzing Student Data, Pearson, http://www.pearsonschoolsystems.com/solutions/dataanalysis/ (last visited May 15, 2014).
  17. E-mail from Daniel Domagala, Chief Information Officer, Colorado Department of Education, to Future of Privacy Forum (May 7, 2014) (on file with author).
  18. Caralee J. Adams, Data Driving College Preparation, EdWeek (Nov. 15, 2011), http://www.edweek.org/ew/articles/2011/11/16/12data_ep.h31.html
  19. Stephanie Simon, Big Brother: Meet the Parents, Politico (June 5, 2014), http://www.politico.com/story/2014/06/internet-data-mining-children-107461.html.
  20. Press Release, While Policymakers Do Little, Marketers Are Busy in Schools, National Education Policy Center (Mar. 11, 2014), http://nepc.colorado.edu/newsletter/2014/03/schoolhouse- commercialism-2013
  21. Benjamin Herold, Danger Posed by Student-Data Breaches Prompts Action, EdWeek (Jan. 22, 2014), http://www.edweek.org/ew/articles/2014/01/22/18dataharm_ep.h33.html.
  22. Andrew Ujifusa, State Lawmakers Ramp Up Attention to Data Privacy, EdWeek (Apr. 15, 2014), http://www.edweek.org/ew/articles/2014/04/16/28data.h33.html. Other bills blanket prohibitions on the collection of some categories of information.
  23. Ellis Booker, Education Data: Privacy Backlash Begins, Info. Week (Apr. 26, 2013), http://www.informationweek.com/education-data-privacy-backlash-begins/d/d-id/1109713?.
  24. Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126 Harv. L. Rev. 1880, 1886, 1899 (2013).
  25. Andrew Ujifusa, Student-Privacy Protection Focus of New York State Legislation, EdWeek (June 17, 2013), http://blogs.edweek.org/edweek/state_edwatch/2013/06/student- privacy_protection_focus_of_new_york_state_legislation.html.
  26. Andrew Ujifusa, State Lawmakers Ramp Up Attention to Data Privacy, EdWeek (Apr. 15, 2014), http://www.edweek.org/ew/articles/2014/04/16/28data.h33.html. Other bills blanket prohibitions on the collection of some categories of information.
  27. Benjamin Herold, Q&A: Data, Privacy, and Parental Consent with Lori Fey of Ed-Fi Alliance, EdWeek (Mar. 4, 2014), http://blogs.edweek.org/edweek/DigitalEducation/2014/03/qa_data_privacy_and_parental_c.html
  28. Trends in Digital Learning: Students’ Views on Innovative Classroom Models 9, Project Tomorrow & Blackboard Inc. (2014), http://www.tomorrow.org/speakup/2014_OnlineLearningReport.html.
  29. See Sharnell Jackson, Using Data to Inform and Personalize Learning, available at www.edweek.org/media/071813_usingdata.pdf (last visited May 15, 2014); but see What Works Clearinghouse, Intervention Report: Carnegie Learning Curricula and Cognitive Tutor, Institute of Education Sciences (2013), http://ies.ed.gov/ncee/wwc/pdf/intervention_reports/wwc_cogtutor_012913.pdf.
  30. Robert Kolker, The Opt-Outers, The New Yorker (Nov. 24, 2013), http://nymag.com/news/features/anti-testing-2013-12/index4.html (Quoting the New York State deputy education commissioner, cautioning parents “that if they remove their child from the assessment program, there’s an impact. We really believe that these tests are not only important but irreplaceable. A parent who opts out of that is giving up the opportunity to get a critical piece of information.”).
  31. E-mail from Daniel Domagala, Chief Information Officer, Colorado Department of Education, to Future of Privacy Forum (May 7, 2014) (on file with author).
  32. See Robert Kolker, The Opt-Outers, The New Yorker (Nov. 24, 2013), http://nymag.com/news/features/anti-testing-2013-12/index4.html. The consequences of opting-out of assessments in terms of either federal funding or producing misleading results is, at the moment, unknown, but could be significant.
  33. Gene Sperling, National Economic Council, Bridging the Digital Divide, From the Front Lines, Wash. Post Live (Nov. 13, 2013), http://www.washingtonpost.com/postlive/bridging-the-digital- divide-from-the-front-lines/2013/11/12/95c14966-4b28-11e3-be6b-d3d28122e6d4_story.html.
  34. See Terry M. Moe & John E. Chubb, Liberating Learning 2009.
  35. Joseph Jerome, Buying and Selling Privacy Big Data’s Different Burdens and Benefits, 66 Stan. L. Rev. Online 47 (2013), http://www.stanfordlawreview.org/online/privacy-and-big-data/buying- and-selling-privacy
  36. Sophia Hollander, Privacy School Goes All In With Tech, Wall Street Journal (Nov. 18, 2012), http://online.wsj.com/news/articles/SB10001424127887323353204578127104047173928?mg=reno64 wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB100014241278873233532045781271040471 73928.html; see also Keeping Pace with K-12 Online & Blended Learning (2013), available at http://kpk12.com/cms/wp-content/uploads/EEG_KP2013-lr.pdf.
  37. Gene Sperling, National Economic Council, Bridging the Digital Divide, From the Front Lines, Wash. Post Live (Nov. 13, 2013), http://www.washingtonpost.com/postlive/bridging-the-digital- divide-from-the-front-lines/2013/11/12/95c14966-4b28-11e3-be6b-d3d28122e6d4_story.html.
  38. The integration of technology in schools must also be done carefully to avoid perpetuating biases and discouraging achievement. Educators and service providers must ensure that they remain sensitive to the diverse backgrounds of students even as they develop and use technologies in the classroom.
  39. See, e.g., Daniel Solove, Educational Institutions and Cloud Computing: A Roadmap of Responsibilities, HuffingtonPost (Nov. 18, 2012), http://www.huffingtonpost.com/daniel-j- solove/educational-institutions-_b_2156612.html; Jon Bernstein, Cloud Computing Raises Student Privacy Concerns, Catalyst Chicago (May 12, 2012), http://www.catalyst- chicago.org/news/2012/05/14/20113/cloud-computing-raises-student-privacy-concerns; http://www.informationweek.com/inbloom-educational-data-warehouse-wilts-under-scrutiny/d/d- id/1111089; Denise Harrison, Is Cloud Computing a Credible Solution for Education?, Campus Technology (Nov. 12, 2009), http://campustechnology.com/Articles/2009/11/12/Is-Cloud-Computing- a-Credible-Solution-for-Education.aspx?Page=3.
  40. These challenges are compounded by the wide-ranging differences in the size and wealth of individual school districts. The decentralization of education has proven problematic in the field of information technology. For example, in Oklahoma, education officials viewed consolidating information technology functions across the state as a key way to lower costs: Michael McNutt, Oklahoma Officials Offer Consolidation of Information Technology Services to School Districts, NewsOK (Feb. 7, 2013), http://newsok.com/oklahoma-officials-offer-consolidation-of-information- technology-services-to-school-districts/article/3753067.
  41. Ben Kamisar, InBloom Sputters Amid Concerns About Privacy of Student Data, EdWeek (Jan. 7, 2014), http://www.edweek.org/ew/articles/2014/01/08/15inbloom_ep.h33.html (“The issue is, now we have to either build or do [a request for proposals] for ‘middleware’—”data-management tools similar to what inBloom provides—”because you need storage of data, and you need learning analytics that integrate the data and connect it to standards and grade-level expectations,” Ms. Stevenson said. “When you are going to do the work from scratch, it’s a whole different world.”) In these cases, the technical expertise is not so much about security, but about engineering, as well as software and instructional design; and the resource capacity is more about scale across multiple users both to support the development investment as well as the continuous improvement.
  42. Chrys Dougherty, Getting FERPA Right: Encouraging Data Use While Protecting Student Privacy, in A Byte at the Apple: Rethinking Education Data for the Post-NCLB Era 38, 39 (Marci Kanstoroom & Eric Osberg eds., 2008).
  43. U.S. Dep’t of Education, FERPA General Guidance for Parents, http://www2.ed.gov/policy/gen/guid/fpco/ferpa/parents.html (last modified Apr. 10, 2014).
  44. The Department of Education considers personally identifiable information (PII) to include, but not be limited to: (a) the student’s name; (b) the name of the student’s parent or other family members; (c) the address of the student or student’s family; (d) a personal identifier, such as the student’s social security number, student number, or biometric record;(e) other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; (f) other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or (g) information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. 34 CFR § 99.3.
  45. Privacy Technical Assistance Center, Transcript: Data Sharing Under FERPA (Jan. 2012), http://ptac.ed.gov/sites/default/files/data-sharing-webinar-transcript.pdf.
  46. 34 CFR § 99.31(a)(1)(B)
  47. Id.
  48. 34 CFR § 99.31(a)(1)(B)(1-3).
  49. See Harrison Stark, Protecting Student Data From the Classroom to the Cloud, Common Sense Media (Feb. 26, 2014), https://www.commonsensemedia.org/educators/blog/protecting- student-data-from-the-classroom-to-the-cloud (noting that leading educational technology providers, including McGraw-Hill, Microsoft, and Amplify, all agreed that student data must only be used for “educational purposes.”).
  50. Defining “Legitimate Educational Interests,” National Center for Education Statistics, http://nces.ed.gov/pubs2004/privacy/section_4b.asp (last visited May 15, 2014)
  51. 34 CFR § 99.7(a)(3)(iii).
  52.  Defining “Legitimate Educational Interests,” National Center for Education Statistics,http://nces.ed.gov/pubs2004/privacy/section_4b.asp (last visited May 15, 2014).
  53. 34 CFR §§ 99.31(a)(3) and 99.35.
  54.  76 Fed. Reg. 75604 (Dec. 2, 2011).
  55. See, e.g., Longitudinal Data System for Education in Maryland, Maryland State Department of Education (2009), http://www.marylandpublicschools.org/NR/rdonlyres/841ABD3D-FC95-47AB- BB74-BD3C85A1EFB8/20240/fact83.pdf
  56.  34 CFR §99.35(a)(3).
  57. 57  See 34 CFR § 99.37 for a discussion of the conditions needed for schools to disclose directory information.
  58. U.S. Dep’t of Education, Model Notice for Directory Information, http://www2.ed.gov/policy/gen/guid/fpco/ferpa/mndirectoryinfo.html (last modified Mar. 14, 2011).
  59. E.g., Valley R-VI School District, Missouri, Notice of Designation of Directory Information (Nov. 2010), http://valleyschooldistrict.org/filestore/Form2400.pdf
  60. Opt-Out Ferpa, http://www.opt-out-now.info (last visited May 15, 2014). See also Anya Kamenetz, What Parents Need To Know About Big Data And Student Privacy, NPR (Apr. 28, 2014 11:58 AM ET), http://www.npr.org/blogs/alltechconsidered/2014/04/28/305715935/what-parents- need-to-know-about-big-data-and-student-privacy (“The big hole in FERPA is directory information,” says Sheila Kaplan, the privacy activist.)
  61. Winona Zimberlin, Who’s Reading Johnny’s School Records? (Apr./May 2006), available at http://www.americanbar.org/newsletter/publications/gp_solo_magazine_home/gp_solo_magazine_ind ex/whosreadingrecords.html.
  62. U.S. Dep’t of Education, December 2011 – Revised FERPA Regulations: An Overview for SEAs and LEAs 2 (2011), available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/sealea_overview.pdf ; 76 Fed. Reg. 19726-19739 (Apr. 8, 2011).
  63. 20 U.S.C. § 1232h (1978
  64. 20 U.S.C. § 1232h(a-b).
  65. 20 U.S.C. § 1232h(b).
  66. 20 U.S.C. § 1232h(c)(1)(E).
  67. Natasha Singer, Group Presses for Safeguards on the Personal Data of Schoolchildren, N.Y.Times, Oct. 13, 2013, http://www.nytimes.com/2013/10/14/technology/concerns-arise-over-privacy- of-schoolchildrens-data.html.
  68. Managing Data Security and Privacy Risk of Third-party Vendors, Grant Thornton (2011), http://www.grantthornton.com/staticfiles/GTCom/Health%20care%20organizations/HC%20- %20managing%20data%20-%20FINAL.pdf.
  69. Scott Aronowitz, Enterprise Software Brings Cost Savings to School Districts Worldwide, T.H.E. Journal (Sept. 24, 2009), http://thejournal.com/articles/2009/09/24/enterprise-software-brings- cost-savings-to-school-districts-worldwide.aspx.
  70. See Eric Butterman & Carol Patton, Demystifying Cloud, Scholastic Administr@tor Magazine, http://www.scholastic.com/browse/article.jsp?id=3755252 (last visited May 15, 2014).
  71. See Jessica Leber, The Education Giant Adapts, MIT Technology Review (Nov. 23, 2012), http://www.technologyreview.com/news/506361/the-education-giant-adapts/.
  72. Article 2 (d) and (e) of Directive 95/46/EC; see also http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf.
  73. Id. The EU Article 29 Working Party has also released an opinion about the privacy issues surrounding cloud computing available at http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2012/wp196_en.pdf.
  74. Further, we note that FERPA may only apply to a limited world of data. Any gaps in student data covered by FERPA should be addressed through legislative responses or better self-regulation.
  75. Amy Malone, Data: Big, Borderless and Beyond Control? Five Things You Can Do, JDSUPRA (Mar. 3, 2014), https://www.jdsupra.com/legalnews/data-big-borderless-and-beyond-control-52884/.
  76. 45 C.F.R. § 160.102. Protected health information (PHI) under HIPAA consists of all “individually identifiable health information.
  77. See 45 C.F.R. § 164.502.
  78. 45 C.F.R. § 160.103.
  79. U.S. Dep’t of Health & Human Serv., Health Information Privacy, Business Associates, www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html (last revised Apr. 3, 2003).
  80. Id. It is worth noting, however, that business associates may be able to engage in data aggregation and business associate management independent of any agreement with a HIPAA covered entity. Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,644 (Dec. 28, 2000).
  81. Fed. Trade Comm’n, Bureau of Consumer Protection, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, http://www.business.ftc.gov/documents/bus53-brief- financial-privacy-requirements-gramm-leach-bliley-act (last updated July 2002).
  82. Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information) VIII-1.2, FDIC Complaince Manual (Jan. 2014), available at http://www.fdic.gov/regulations/compliance/manual/pdf/VIII-1.1.pdf.
  83. Who is a HIPAA business associate?, McDonald Hopkins Alert (July 3, 2013), http://www.mcdonaldhopkins.com/alerts/healthcare-who-is-a-hipaa-business-associate.
  84. U.K. Information Commissioner’s Office, Key Definition of the Data Privacy Act, http://ico.org.uk/for_organisations/data_protection/the_guide/key_definitions (last visited May 15, 2014) “In relation to data protection, the main reason for this particular definition is to ensure that a person such as a data processor, who is effectively acting as the data controller, is not considered a third party.
  85. See, e.g., Fed. Trade Comm’n, Privacy Online: A Report to Congress 7 (1998)
  86. See generally Fed. Deposit Insurance Corp., Privacy Choices, http://www.fdic.gov/consumers/privacy/privacychoices/#yourright (last updated Jan. 25, 2008).
  87. E-mail from Daniel Domagala, Chief Information Officer, Colorado Department of Education, to Future of Privacy Forum (May 7, 2014) (on file with author).
  88. Ellis Booker, Education Data: Privacy Backlash Begins, Info. Week (Apr. 26, 2013), http://www.informationweek.com/education-data-privacy-backlash-begins/d/d-id/1109713?.
  89. Gary Stern, N.Y. Plans to Share Data From Pre-K to Workforce, Aims to Unlock Keys to Student Success, LoHud.com (Jan. 25, 2014), http://www.lohud.com/article/20140125/NEWS02/301250047.
  90. In a separate paper, Jules Polonetsky and Omer Tene elaborate on the need for parents and students to be granted access to student data in a useable format. Alongside further insight into the logic underlying the algorithms used to assess student performance, this sort of “featurizing” of data could help students and parents see how they are doing in real time – and help nurture students’ strengths and support them in their weaknesses. Jules Polonetsky & Omer Tene, Who Is Reading Whom Now: Privacy in Education from Books to MOOCs 68-71 (2014) (working draft on file with author).
  91. Mark Schneiderman, SIIA Announces Industry Best Practices to Safeguard Student Information Privacy and Data Security and Advance the Effective Use of Technology in Education (Feb. 24, 2014), http://www.siia.net/blog/index.php/2014/02/siia-announces-industry-best-practices-to- safeguard-student-information-privacy-and-data-security-and-advance-the-effective-use-of- technology-in-education/.
  92. See iKeepSafe, Student Data Privacy and Security: A Roadmap for School Systems, for a discussion of how school districts might implement privacy programs.
  93. Press Release, Governor Cuomo and Legislative Leaders Announce Passage of 2014-15 Budget, Governor of N.Y. (Mar. 31, 2014), http://www.governor.ny.gov/press/03312014Budget
  94. Andrew Ujifusa, State Lawmakers Ramp Up Attention to Student Data Privacy, EdWeek (Apr. 16, 2014), http://www.edweek.org/ew/articles/2014/04/16/28data.h33.html.
  95. Arne Duncan, U.S. Sec. of Ed, Technology in Education: Privacy and Progress, Remarks at the Common Sense Media Privacy Zone Conference (Feb. 24, 2014), https://www.ed.gov/news/speeches/technology-education-privacy-and-progress.