'De-Identifying' Student Data: Next Front in the Privacy Wars?
Hoping to shed light on a huge legal and technical gray area involving the sharing and use of student data, Washington think tank Future of Privacy Forum released this week a new paper on the "de-identification" of sensitive student information.
Ideally, that de-identification process involves purging student records of any information that is directly linked to an individual student, as well as removing or obscuring any indirect information that could allow others to figure out who an individual student is, before the records are shared with a third party.
But that is often easier said than done in an era in which students generate massive amounts of digital information, data brokers use public and private sources to amass extensive profiles of individual citizens, and researchers and vendors use increasingly advanced statistical and mathematical techniques in the course of everyday business.
"Appropriate and well-designed student data use by schools, families, researchers, and service providers greatly enhances teaching and learning," says the Future of Privacy Forum's analysis.
"These technology advancements, however, also invite new risks for exposing personally identifiable student data to unauthorized disclosures, misuse, and abuse," the paper says.
Personally identifiable information is generally considered to include a student's name and address, the names of their family members, and personal identifiers, such as Social Security number or student ID. Indirect identifiers might include the student's date and place of birth, race, religion, weight, financial information, mother's maiden name, and more.
At the federal level, the handling of such information is governed primarily by the federal Family Educational Rights and Privacy Act. FERPA, as the law is commonly known, "prohibits the disclosure of education records containing personally identifiable student data without parent or eligible student consent," according to the new paper.
But that leaves open considerable room for interpretation—and disagreement.
The Future of Privacy Forum, which is closely aligned with industry and is the prime mover behind a voluntary student-data-privacy protection pledge that has been signed by more than 160 companies, believes that "appropriately de-identified" student information is not covered by FERPA.
"The release of education records that have been appropriately de-identified...is not considered a "disclosure' under FERPA, since by definition such records do not contain PII (personally identifiable information)," the group writes.
"Properly de-identified student data thus may be shared without limitation under FERPA (although other federal and state privacy laws may apply.) Furthermore, 'de-identified' information from education records is not subject to any destruction requirements because, by definition, it is not 'personally identifiable information.'"
Fordham law professor and privacy expert Joel Reidenberg, who is also an academic adviser to the Future of Privacy Forum, pointed out what he views as problems with that approach and the ways in which it highlights "holes in FERPA's scope of coverage," however.
For one, Reidenberg said, technical and statistical advances have made it "easier and easier" to take data that has ostensibly been "de-identified" and link it back to individual students.
In addition, he said,"customized profiles" of individual students constructed on the basis of their interactions with technology may not include a student's name or address, but are still being used to make critical decisions about what and how students are taught.
And most troubling, Reidenberg maintained, is that it appears that neither parents nor advocacy groups have any standing to challenge the ways in which FERPA is being interpreted, applied, and regulated by the U.S. Department of Education. When the Electronic Privacy Information Center attempted to sue the department over controversial regulations it issued in 2011, the courts dismissed the case, saying EPIC lacked legal standing.
Some of that could be poised to change. In recent months, multiple bills have been introduced in Congress that would either rewrite FERPA or create entirely new federal privacy laws aimed at protecting student information. Last month, for example, U.S. Reps Todd Rokita, R-Ind., and Marcia Fudge, D-Ohio, introduced the "Student Privacy Protection Act." If enacted, the bill would expand FERPA's definitions of educational records and personally identifiable information to ostensibly better include digital information.
But none of those bills have yet come up for a vote.
In the meantime, the Future of Privacy Forum paper suggests, what constitutes appropriate and effective de-identification of student information remains fairly subjective and can really be determined only on a case-by-case basis.
School districts and others considering the release of such information should first consider the purpose for which it is being shared, the group's paper advises; how data should be de-identified for a longitudinal study by academic researchers may be quite different than how it should be de-identified for a vendor looking to improve its software.
The Future of Privacy Forum also outlines a variety of de-identification techniques that can be used, and it points out that strong contracts or other agreements with third-party data holders can also offer additional safeguards for students.
For now, though, the onus is largely on districts to minimize risks and maximize protections to the greatest extent possible—a responsibility the group acknowledges will require "deep technical knowledge and expertise" that many school districts lack.
That's the biggest concern about the de-identification debate for Rachael Stickland, the co-chair of the Parent Coalition for Student Privacy.
"If districts don't have dollars in their budgets to hire school nurses, librarians, and teachers to keep class sizes small, where will they find the money to 'obtain competent support' to de-identify data that they hand over to researchers, organizations or other third parties—particularly on a case-by-base basis?" Stickland said.