New Student Data Privacy Toolkit Encourages Parent Advocacy
A pair of advocacy organizations, the Parent Coalition for Student Privacy and the Campaign for a Commercial-Free Childhood, have released a toolkit that urges parents to be more vigilant in questioning school districts' and ed-tech companies' data-privacy policies.
Partly a guide on federal privacy laws, partly an activism manual, the toolkit encourages parents to question teachers and district officials about how data is collected, stored, and shared, and to advocate for stricter standards in their children's schools.
The toolkit also lists best practices for schools, districts, and states, and teaches parents how to identify what the groups consider "red flags" in terms of service agreements with education companies.
"It's really important for parents to know what rights they have and to be able to advocate for even stronger data practices," said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, a data privacy advocacy organization, in an interview.
As tech companies build an ever-increasing presence in K-12 schools, and they work in coordination with districts to collect data on students' academic work and other information, district officials and advocacy groups continue to raise concerns about how closely that information is being safeguarded.
Both industry organizations and the U.S. Department of Education have issued guidance and suggestions for districts in navigating federal privacy regulations and putting policies in place to secure student data. But parents, said Haimson, are often unclear about what schools' and districts' choices mean for their children.
"There are a lot of legal rights that parents already have that they don't know that they have," she said. Haimson hopes that parents can provide a "counterforce" to ed-tech companies pushing for more access to what she calls "very sensitive" student data.
Haimson was one of the leading voices in the 2014 campaign against inBloom, a data-management company that faced vocal resistance from groups of data privacy advocates. She founded PCSP in the aftermath, along with others who had been active in the opposition.
The limitations of Family Educational Rights and Privacy Act, or FERPA, a federal law designed to protect students' personal information, became apparent during the controversy, she argued.
Federal law allows schools to disclose some information about students to educational companies under certain circumstances, according to guidance from the Department of Education. So-called "directory information," such as students' name and address, can be released as long as parents have been notified and have not opted out of this information being shared.
Other personally identifiable information—sometimes including sensitive information such as date of birth, academic and behavioral records, and more—can be shared if districts designate a vendor as a "school official." In this case, companies are only allowed to use the student information for purposes that have been authorized by districts.
But the law does not cover so-called "metadata," information about how and when students use programs that can give context for other data points. Companies are also generally free to use other de-identified student data for a wide range of purposes, including commercial reasons and to build learner profiles. Some state laws are more restrictive than FERPA around these issues.
Though companies are legally allowed to collect some types of student data under FERPA, many of the allowable uses may concern parents, said Haimson. Commercial use raises the possibility that students may be "bombarded" by targeted ads while they're doing their homework, she said, and algorithms that use student information to create learner profiles can be discriminatory.
While some parents and privacy advocates have sought tighter restrictions on how companies and districts use, protect and share student data, some K-12 officials and industry leaders warn that overly restrictive policies could stymie innovation. For instance, many efforts to customize or "personalize" instruction to student needs through digital platforms count on collecting data on individual students' academic performance.
The toolkit suggests that parents ask detailed questions about security measures, whether the district is hosting information locally or in through a cloud computing platform.
If sensitive student records regarding, for example, disability status or suspensions were to be hacked, it could harm a student's future education or job prospects, argued Haimson.
"Once something like that is out on the internet, it's very hard to put the genie back in the bottle."