Schools have always generated and collected large amounts of student data—primarily to allow educators to better serve students—but it wasn’t until a 2013 controversy that states began passing their own laws to protect student data privacy.
Prior to 2013, student data was protected by two main federal laws related to student privacy and security:
Guarantees parents access to their children’s educational records and restricts the parties to whom schools can disclose students’ education records without consent.
Governs the information that companies operating websites, games, and mobile applications can collect from children under the age of 13.
Several loopholes within these laws however are what led to a controversy that lit a spark in student data privacy rights. In 2011, the Bill & Melinda Gates Foundation proposed a $100 million data warehouse project called inBloom, Inc. Originally piloted in nine states across the country, inBloom was developed to standardize student data collection and store it in the cloud. The catch? This data would be available to for-profit vendors to aid in developing and marketing their products and services, without parental knowledge or consent.
Parents and school officials in affected districts were shocked to learn that the main federal law on student data security, FERPA, and other related federal laws seemingly allowed for this non-consensual use and disclosure of student data. As a result of parental backlash, inBloom officially shut its doors in 2014 and state legislatures began introducing bills to close the loopholes and gaps in FERPA and other federal laws.
Effective policies and regulations at both the state and federal levels can help ensure that student data is used for its intended purpose—to support student learning. As of April 2019, 40 U.S. states had passed 116 laws, with more state regulations predicted to come online in the near future.
States generally take one of three approaches to regulating student data. The first is by regulating schools, or local education agencies (LEAs), and state-level education agencies (SEAs). A prime example, Oklahoma’s Student Data Accessibility, Transparency, and Accountability Act (Student DATA Act) passed in 2013 and includes a number of provisions designed to restrict the collection, security, access and use of student-level data, as well as improve transparency with the public about how the data is used. Subsequent laws following this model have limited data collection and use and defined how holders of student data can collect, safeguard, use and grant access to data.
The second approach has been to regulate companies that collect and use student data. For example, California’s Student Online Personal Information Protection Act (SOPIPA) prohibits online service providers from using student data for commercial purposes, such as targeted advertising to students or their parents; creating, maintaining, or sharing student profiles for non-educational purposes or selling or disclosing student data except under limited circumstances. This landmark law shifted the responsibility for appropriate data use from the education agency to the vendors with whom the agency does business.
The third approach is a combination of the first two models. For instance, Georgia followed Oklahoma’s lead in addressing three main issues regarding SEAs: which student data is collected, how it can be used ethically and securely, and who can access this data. Combined with regulations similar to SOPIPA, this approach allows student data to be used while ensuring privacy for students.
To better understand the changing landscape of student data security and privacy laws, the Data Quality Campaign tracks and analyzes legislation from all 50 states to gauge how school administrators and educators are protecting student data. Following a review of the 2018 legislative session, their annual report identified five key trends and ultimately found states are eager to use data to answer complex questions around how different students are being served, and what leaders can do to improve the outcomes. Across the country, numerous states are prioritizing:
Three states considered bills that would create wholly new or expanded statewide longitudinal data systems (SLDS). These systems would replace existing, less comprehensive ones and better link data among sectors and across the education and workforce pipeline.
Nine states passed 10 new laws creating either a specific data linkage or a cross-agency data-sharing activity.
Ten states passed laws that require the state to provide or report new data to school districts.
Eleven states passed laws to make data use possible by providing data leadership, guidance, and support.
In an increase from 2017, states introduced 24 bills in 2018 to provide educators or school leaders with training on data privacy, data use, or both.
The State Student Privacy Report Card, released in early 2019 by independent advocacy groups, The Parent Coalition for Student Privacy and the Network for Public Education, grades each state on its efforts around student data privacy. Graded on seven categories—including transparency, parental and student rights, limits on commercial use of data and enforcement—each state received a grade ranging from “A+” through “F”.
While not a single state received above a “B” grade, states are in fact making progress on the issue through introducing new legislation. In an effort to place student privacy and security at the forefront, and perhaps boost their report card scores, several states are preparing to pass new regulations, including:
With multiple states working hard to improve student privacy and data security programs through the introduction of new regulations, but failing to receive positive scores, policy makers and school leaders alike must look to modern technological support to help them face the challenges of protecting student data.
Remember, student data is primarily generated and collected for the purpose of providing students with the tools needed to succeed. In order to give students the best shot at success while protecting their data, teachers, administrators, parents and students all must rely on the combined power of effective regulation and technology— such as end-to-end encryption—to ensure that students’ data is safely shared. Effective state privacy laws on their own do not ensure that student data is protected when shared to improve student learning outcomes. Therefore, technological support is essential not only to enable sharing internally and externally, but also to maintain compliance with state and federal laws.
To find out how K-12 schools across the country are keeping their students’ data secure with an easy-to-use layer of encryption protection, talk to a Virtru data security expert today.
The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.View more posts by Editorial Team
Contact us to learn more about our partnership opportunities.