States Earn Low Grades on Student-Data Privacy Protections From New Report Card
A new report card that rates states on their efforts to protect student-data privacy was released by advocacy groups this week, but an independent privacy group said those ratings don't reflect the range of legislation and efforts being made to keep student data safe.
The Parent Coalition for Student Privacy and the Network for Public Education issued a report Wednesday that analyzes the thoroughness and quality of student-data privacy laws passed in the U.S. in the past five years. The goal of The State Student Privacy Report Card is to help parents, advocates, and legislators untangle the complicated web of state student-data privacy laws across the country, according to the two groups, which say the report is the first of its kind.
"This report card provides not only critical information regarding the existing laws, but also serves as a blueprint for parents to use for lobbying for better protections for their children," NPE Executive Director Carol Burris said in a statement.
The report grades each state on its efforts around student-data privacy, analyzing 99 student privacy laws passed in 39 states and the District of Columbia between 2013 and 2018. Each state was graded on seven categories, which include transparency, parental and student rights, limits on commercial use of data, and enforcement.
No state earned an "A" grade on the report card. The only state to earn a "B" was Colorado, while three states—New Hampshire, New York, and Tennessee—received the second-highest average grade of "B-." Eleven states received an "F." These states include Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin.
However, some privacy experts called the report "misleading." Amelia Vance, the director of education privacy and policy counsel for the Future of Privacy Forum, said the grades in the report make it seem as though states and districts are making little or no progress on the issue and that some of the criteria used to evaluate state privacy efforts are skewed.
The report "does not at all reflect what is happening either legislatively or on the ground with the districts and states who have struggled and...done so much work on this issue and to protect students," she said. "I'm worried...that people are going to take away that these states have done nothing, and that's just not the case."
Discounting State Data Privacy Progress?
The report focuses mostly on state legislation that has been enacted, but it does not include a focus on policies or regulations, resulting in low grades for many states. While the report analyzed 99 laws that passed from 2013 to 2018, FERPA|Sherpa, a project of the Future of Privacy Forum, recorded a total of 113 laws during that same time frame. FERPA|Sherpa's analysis comes from the Data Quality Campaign, Foresight Law+Policy, and the National Association of State Boards of Education.
Rachael Stickland, the primary author of the student-data privacy report card and co-founder and co-chair of the Parent Coalition for Student Privacy, said she only took into account 99 of the student-data privacy laws because she wanted to focus on legislation that was crafted specifically to address student-data privacy.
Some of the states with the lowest grades have actually made significant efforts around student-data privacy, Vance said. For instance, South Carolina received an "F" grade in the report card for a failure to pass any student-data privacy laws, but Vance noted that the state passed a law in 2014 that forbade the state Department of Education from collecting student data from students or families unless it complied with the federal Individuals with Disabilities Education Act. The South Carolina law also requires that the state education department have data request procedures in place and a data management system that is accessible only to authorized individuals.
Other states received "F" grades, but have made progress on the issue, according to Vance. New Jersey has extensive regulations, such as separating health information from student records to protect it; Wisconsin has a student-data privacy website and significant training resources for its educators and employees; and Alabama, one of the first states to act on student privacy back in 2013, has one of the most strenuous regulations in the country because it requires that districts be audited for privacy and security practices every few years, Vance said.
Vance also noted that the report card downgrades schools for failing to ban the sharing of student data with the federal government and its designees, including researchers. Most parents, according to Vance, want data shared with researchers in order to allow for evidence-based practices.
Stickland said she believes that schools should ask for written consent from parents before disclosing any student data that is personally identifiable, even for researchers. "I don't think it's unreasonable to strive for," she said, adding federal privacy laws like the Family Educational Rights and Privacy Act of 1974, or FERPA, already recommends such a practice.
Additionally, Vance described student data privacy as a "contextual issue." What might be appropriate for a rural school district with 50 students might be different for an urban school district with 300,000 students. But Stickland said that type of context should not be a factor around data-privacy protections.
"I think every kid across the nation deserves the same level of protection, and it should be at the highest level possible," she said.
Debate Over Efforts Continues
Vance also quibbled with the report card's decision to downgrade schools for creating student profiles. Schools that utilize personalized learning strategies often need to create student profiles so students can play games or access educational programs digitally. "This seems almost an attack on personalized learning or tech in the classroom, itself, as opposed to a genuine look as to whether student privacy laws are sufficient in states," Vance said.
In a section of the report titled, "Why This Report Is Needed," the authors noted the now-defunct non-profit organization inBloom was part of their inspiration. Founded in 2011, inBloom launched with $100 million in support from the Bill & Melinda Gates Foundation and the Carnegie Corporation of New York to standardize student data collection, store it, and make it available to district-approved, third-party vendors. After one year, the organization received so much public backlash it eventually shut its doors.
Stickland, the author of the report, said that her children's school district was a pilot site for inBloom, but when she questioned the district about privacy protections for student data, she got conflicting information. Stickland said with this scorecard she wanted to create a "snapshot" of the laws that have been passed since then, what they do or intend to do, and to highlight their shortcomings.
She said she hopes legislators and advocates will be inspired by the report card to push for modernization of state and federal student data privacy laws.