Student Data Protection In An Era Of Education Technology Innovation

Author:Ms Katherine Brodie, Michelle Hon Donovan, Alison H. Hutton and John M. Neclerio
Profession:Duane Morris LLP

Reaching a Congressional Consensus Will Likely Require Additional Deliberation

During the current 114th U.S. Congress, a variety of House and Senate bills have been introduced that propose different approaches to addressing the growing bipartisan concern about protecting the privacy of student data (below, "Personally Identifiable Information" or "PII"). The bills address PII maintained by public and private educational institutions and state educational agencies and, in some cases, PII maintained or accessible by technology service providers or other third parties doing business with these educational entities.

Consensus regarding how and whether to increase federal mandates and penalties concerning protection of PII has not yet been reached, but awareness exists that student PII, whether for K-12 students or older, is becoming increasingly vulnerable to unauthorized disclosure or misuse, in particular for marketing purposes. Another concern is that the Family Educational Rights and Privacy Act (FERPA)—the primary federal statute designed to protect private student information—may not be adequate to respond to technological changes in how PII is stored, shared and accessed, although how and whether to amend FERPA to address this concern is far from settled.

As summarized in this Alert, the congressional proposals introduced thus far take very different approaches, including establishing a study commission to develop legislative proposals with the input of the government and the private sector; imposing additional regulation on K-12 technology service providers; and strengthening and updating FERPA, with or without enhanced governmental and private enforcement mechanisms to incentivize compliance by educational institutions and service providers.

Approach 1: Establishment of a Study Commission

The Every Child Achieves Act of 2015 (S. 1177, the bill reauthorizing the Elementary and Secondary Education Act/No Child Left Behind), passed in the Senate in July with an amendment that would establish a "Student Privacy Policy Committee" made up of congressional, federal, state, local and private representatives; experts in education technology, data storage and student privacy; and educators and parents. The Committee would study the effectiveness of current federal laws and enforcement mechanisms to protect student privacy and parental rights relating to student information and develop recommendations regarding how to improve and enforce federal laws. Specifically, the Committee would:

Examine whether there is a need to provide or update standard definitions for terms related to student privacy, including: "(i) education record; (ii) personally identifiable information; (iii) aggregated, de-identified, or anonymized data; (iv) third-party; and (v) educational purpose"; Identify which federal laws should be updated and the appropriate federal enforcement authority to execute such laws; Address data sharing in an increasingly technological world, including evaluating protections in place for student data when it is used for research purposes; establishing best practices for any entity that is charged with handling, or that comes into contact with, student education records; ensuring that identifiable data cannot be used to target students for advertising or marketing purposes; and establishing best practices for data deletion and minimization; Discuss transparency and parental access to personal student information by establishing best practices for ensuring parental knowledge of any entity that stores or accesses their student's information; parental rights to amend, delete or modify their student's information; and the designation of a central contact in a state or a political subdivision of a state who can oversee transparency and serve as a point of contact for interested parties; Establish best practices for the local entities who handle student privacy, which may include professional development for those who come into contact with identifiable data; and Discuss how to improve coordination between federal and state laws. Not later than 270 days after the date of enactment, the Committee would prepare and submit a report to the Secretary of Education and to Congress containing the findings of the...

To continue reading