This summer brought news about yet another student data breach. This time, online education platform K12.com failed to keep one of its databases properly updated, thereby leaving almost 7 million records for 19,000 of students available for anyone to steal from June 23 to July 1, 2019. The exposed information included email addresses, full names, birthdates, gender, age, school names and authentication information. It’s unclear if the data was actually accessed by malicious actors.
It’s terrifying that something as minor as a database issue can lead to the violation of a student’s privacy, increasing the risk of cyberattacks like spear phishing, identity theft and even physical harm (since malicious actors might know where the students study or even live). But this is not a unique incident; it’s just the most recent one. During 2018, the K-12 Cybersecurity Resource Center cataloged 122 publicly disclosed cybersecurity incidents affecting 119 public K-12 education agencies across 38 states. Clearly, schools need better strategies for securing the sensitive data they store.
In this article, we will explore student data privacy protection, including the nuances of U.S. student data privacy acts, and what educational organizations should do to protect student data. Note that this is not a legal guide and no information provided in this article should be considered legal advice.
Laws protecting student data
The main federal law mandating student data privacy protection, the Family Educational Rights and Privacy Act (FERPA), was enacted in 1974. A lot has changed since then. In particular, educational data systems have become more connected, online learning environments have become more common, and new digital education technologies (ed tech) that help personalize learning have been embraced by students, parents and educators.
While these tools and technologies are certainly valuable, they can increase privacy risks. Therefore, there has been a wave of new legislation designed to protect student privacy. According to FERPA|Sherpa, since 2013, and 41 states have passed 126 student data privacy laws that focus on student privacy protection or have significant education privacy provisions. The most common provisions of state laws include limitations on the collection and use of educational records.
In addition, at the federal level, FERPA has been supplemented by PPRA (another student data privacy act) and COPPA (an act focused on child privacy). Let’s explore all three laws in more detail.
-
The Family Educational Rights and Privacy Act (FERPA) (also called the Buckley Amendment)
Effective date: 1974
Provisions: FERPA protects the privacy of student education records, from report cards to family information. The law requires organizations to restrict the access, use and sharing of student information, and allows parents (and students, once they have reached the age of 18) to review, request correction of, and opt out of the disclosure of education records (though student personal data can still be disclosed without consent to appropriate officials in certain situations, such as a health or safety emergency).
FERPA is often criticized as having flaws in its privacy protections. For example, the law makes it possible to schools and districts to share data with vendors, contractors and consultants without parental notification or consent. The same exception is made for organizations and individuals performing evaluations and for audit purposes. Moreover, FERPA doesn’t say anything about data breach notifications, and it doesn’t provide any specific framework for securing educational records, so educational institutions generally develop their own model based on a generally accepted IT framework such as ISO 27000 series, COBIT 5 or NIST SP800-53.
Scope: FERPA applies to all educational agencies and institutions that receive federal funding. It is administered by the Family Policy Compliance Office.
Data protected: FERPA protects student’s education records. Those can be student records, with certain exceptions, maintained by an institution that is directly related to students and from which students can be personally identified. Examples include: grades, transcripts, schedules, papers, tests, disciplinary records, personal information. With certain exceptions FERPA requires educational organizations to receive written consent prior to disclosing a student’s education records. There are three types of data involved:
- Personally identifiable information (PII) — Any record or information from which an individual student or students can be personally identified. Access to and disclosure of PII must be strictly limited to individuals with an official need to know. See FERPA 34 CFR § 99.3, for a complete definition of PII specific to education records and for examples of other data elements that are defined to constitute PII.
- Directory information — Any information in the education record that is not considered to be harmful or an invasion of privacy if disclosed. Typical examples of directory information include student names and addresses. FERPA allows an institution to disclose directory information without prior written consent unless parents or eligible students opt out, provided it has given public notice of the types of information which it considers to be “directory information.”
- De-identified data — Data from which all PII has been removed and a reasonable determination has been made that no student is personally identifiable.
Penalties for violations: Possible loss of federal financial aid, but no educational institution has been penalized yet.
-
The Protection of Pupils Rights Amendment (PPRA) (also called the Hatch Amendment)
Effective date: 1978
Provisions: States and school districts must follow the PPRA rules when administering tools like surveys, analyses and evaluations funded by the U.S. Department of Education, as well as non-federally funded surveys that deal with sensitive information. The law protects sensitive information collected from students, and limits the disclosure and use of this information for marketing purposes. It also allows parents to review surveys, evaluations and analyses and to give written consent or opt out from participating.
Scope: PPRA applies to programs that receive federal funding from the U.S. Department of Education. Unlike FERPA, which also applies to post-secondary institutions, PPRA affects only K-12 institutions.
Data protected: PPRA protects personal information, which includes the student’s or parent’s first and last name; home or other physical address (including street name and the name of the city or town); telephone number; and Social Security number. It also prohibits questions about the following topics from being asked without prior consent from a parent:
- Political affiliations or beliefs of the student or the student’s parent
- Mental or psychological problems of the student or the student’s family
- Sex behavior or attitudes
- Illegal, anti-social, self-incriminating or demeaning behavior
- Critical appraisals of other individuals with whom respondents have close family relationships
- Legally recognized privileged or analogous relationships, such as those of lawyers, physicians and ministers
- Religious practices, affiliations or beliefs of the student or student’s parent
- Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program)
Penalties for violations: Loss of federal funding.
-
Children’s Online Privacy Protection Act (COPPA)
Effective date: 1998
Provisions: The law is designed to protect the privacy of children under the age of 13 while online. It requires websites operators and online services such as games and mobile applications to ensure they have verified parental consent before targeting or collecting personally identifiable information from children under 13. They must also allow parents to review and request deletion of any information collected from their children.
COPPA has a number of requirements to protect PII. One of them is to create a clear privacy policy and post a link to it in a visible place on every page where personal information is collected. The privacy act also requires reasonable data security procedures, including disclosing and releasing PII only to parties capable of maintaining its confidentiality and security, as well as data retention and deletion requirements.
Scope: COPPA applies directly to technology operators who have specific sections for children or actual knowledge of children using their site. The law applies globally to any website directed at U.S. children.
Data protected: COPPA forbids the collection of first and last names; home addresses; online contact information such as email addresses; telephone numbers; Social Security numbers; and personal identifiers such as IP addresses and customer IDs in browser cookies. The list also includes photos, videos and audio of a child.
Penalties for violations: $40,000 per violation, issued by the Federal Trade Commission. The biggest fine to date was issued in February 2019 when ByteDance was fined $5.7 million for its TikTok app.
How can schools protect student privacy?
The following best practices can help schools safeguard student privacy:
- Use data discovery and classification to learn where sensitive data is stored and classify it as PII, educational records or directory information.
- Know which information you share with third party providers by keeping an inventory of your ed tech services, including both free and paid services. Develop policies for the evaluation and approval of new ed tech services.
- Develop policies to govern the collection, use and protection of student data. Specify under what conditions the school, the district, parents and eligible students will be permitted to access the data, and explain the process for obtaining access. Ensure that teachers, school physicians, IT staff and other school personnel are permitted to access data only as needed for their job duties. Explain how control around student data will be maintained and how data will be protected against unauthorized access. The policy should also restrict the sharing of personal data for advertising and marketing purposes.
- Provide training for all employees to raise awareness around student data privacy protection. Provide clear guidelines regarding the collection and use of sensitive data. Remind them that the records of any student shouldn’t be accessed for any reason other than a legitimate educational requirement.
- Ensure that all of the above efforts are consistent with federal, state and local compliance regulations. Designate an office or individual responsible for compliance.
Conclusion: Know your data
Educational technologies bring enormous value to the education process, but they can greatly complicate the goal of protecting the privacy of student data. The best step any educational organization can take to get started is to know exactly what data they store and how sensitive it is, so they can protect sensitive and regulated data as required by compliance mandates.