Department of Education Encourages Schools to Take Affirmative Steps to Protect Data
Written by G.S. Hans
With more interactions between educators and students taking place online and through apps, increasing amounts of sensitive data are collected, retained, and used by schools and companies. Data related to education tends to be very personal, so the need for appropriate standards on protecting this data are important to encourage greater adoption of educational technologies. To that end, the Department of Education (DoE) recently released a report on requirements and best practices in protecting student privacy while using online educational services. The report is a good step towards promoting effective privacy and security standards, but in order to effectively protect students, DoE should also update existing regulations and pursue enforcement actions against providers that don’t measure up.
By focusing on software, mobile apps, and online services, the report does a good job of exploring the major areas where there are potential implications for student privacy. The major federal law that governs educational privacy, the Family Educational Rights and Privacy Act (FERPA), protects personally identifiable information contained in student educational records from unauthorized disclosure. Some online educational services will need to comply with FERPA, while others will not. For example, if a school requires students to log on with an account tied to their education records to submit homework for grading, FERPA provisions would govern. By contrast, if students complete assignments offered by a third party that doesn’t collect any personal data, FERPA wouldn’t apply.
Many online educational tools hold a great deal of promise, both in terms of increasing access to education and in improving learning and assessment practices. However, with more services comes greater security risks. Services providers will need to ensure that they create and maintain strong security programs in order to protect the sensitive student data that they collecting and retain. Professor Daniel Solove has criticized DoE’s record on protecting its own data and enforcing FERPA provisions. Because DoE doesn’t primarily focus on privacy and security, it should take a look at its existing regulations and enforcement practices and determine if they’re effectively promoting privacy and security protections online – and not just in the traditional paper records that FERPA covers.
Another area we’d like to see clarified is the standards for de-identifying personal data. Under FERPA, metadata that has been stripped of direct or indirectly identifying information is not considered personally identifiable, and thus not covered. The DOE report mentions removing location-based identifiers, but we’d prefer stronger guidelines, ideally based upon the FTC’s standard articulated in its 2012 report on protecting individual privacy. That test states that data is not “reasonably linkable” if the company (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.
We were heartened to see that DoE endorsed an approach to protecting student privacy based in large part on the Fair Information Practice Principles. The recommendations encourage schools to enter into written contracts with service providers that allow for security provisions, explicit language on the scope of data collection, provisions for data use and minimization, and data access by students, parents, or educators. As we have argued, the use of the FIPPs create the strongest protections for both users and service providers.
If online courses and educational services continue to proliferate, companies and schools that have not traditionally been heavily involved in data privacy and security will need to quickly understand the best practices necessary in order to protect students. The FERPA provisions and DoE’s guidelines can assist service providers and schools in getting up to speed, however DoE should still seek to update its regulations and enforcement mechanisms.