Privacy Issues and State Longitudinal Data Systems

Personal data and information is provided to schools by parents about themselves and their students enrolled in the schools.  Most parents implicitly trust the schools with this information and their student’s records and do not question the security of their privacy.  There are protections in place such as the Family Educational Rights and Privacy Act (FERPA) and the Pupil Protection Rights Act (PPRA).  The issues and rights surrounding the privacy and protection of the personal information are very complex.  The privacy rights provided by law are often not provided in practice and may be further eroded by changes.  A push for changes in the established privacy rights is being made to facilitate greater collection and sharing of data by connecting state longitudinal data systems (SLDS).  The federal government has promoted and provided funding for the development of these longitudinal data systems.

A little information is provided here about proposed changes to FERPA, PPRA, SLDS, and a critical study of the longitudinal data systems now in place and being further developed in all fifty states.

Changes Proposed for the Family Educational Rights and Privacy Act (FERPA)

The Department of Education (DOE) has proposed changes to the regulations issued under the primary federal student-privacy statute, the Family Educational Rights and Privacy Act (FERPA). The stated purpose of the proposed changes is “to protect the privacy of education records, as intended by Congress, while allowing for the effective use of data in statewide longitudinal data systems (SLDS) . . . .” In reality, DOE’s desire to stimulate the “robust use of data” to evaluate federally funded education programs seems to outweigh the congressional mandate to protect student privacy – and the proposed changes to the FERPA regulations are a blatant attempt to bypass Congress by weakening the privacy law through radical regulation.

Listed below are objections to the proposed changes.

  • Authorized Representative – DOE proposes to define “authorized representative” (i.e., the individual or entity authorized to receive Personally Identifiable Information (PII) on students) in a way that greatly expands the universe of bureaucrats or even private entities that might be allowed to access PII. Throughout FERPA’s existence, DOE has interpreted the statute to allow nonconsensual disclosure of PII only to officials of state or local educational authorities, or to the agencies headed by certain federal officials (Secretary of Education, Comptroller General, or Attorney General). The proposed change would allow any of these people to designate other bureaucrats in other agencies – such as state employment or public-health agencies – or even private entities as “authorized representatives” for purposes of accessing PII. This is a radical change to the interpretation of FERPA, and a substantial limitation on its privacy protections.
  • Education Program – DOE proposes to define “education program” in a way that would further expand the reach of bureaucrats into private student data. The current interpretation of FERPA allows nonconsensual disclosure of PII during audits or evaluations conducted of federally funded “education programs” that are administered by educational authorities. The proposed changes would broaden this PII access to any program that could even be marginally considered “educational,” even if not conducted by an educational authority. The concern is that designating something as an “education program” to be “evaluated” becomes an excuse for gaining access to data from that program.
  • Research Studies – DOE proposes to greatly expand access to PII for use in “research studies.” Currently, FERPA allows nonconsensual disclosure of PII by educational agencies and institutions (with strict limitations) to companies that are conducting research on behalf of those agencies or institutions. The proposed changes would allow agencies further up the food chain – those that receive such PII from other agencies or institutions — to disclose that data for their own research purposes, and to do so without express legal authority. Thus, for example, a school may turn over PII to DOE as part of regular procedure and not be told that DOE is disclosing that data to a research company. And if the school discovered, and objected to, the redisclosure, DOE would not even have to point to an express legal authority for its action. “Implied authority” would be sufficient.
  • Authority to Audit or Evaluate – DOE proposes to allow state or local educational authorities, or agencies headed by the Education Secretary, the Comptroller General, or the Attorney General, to conduct audits, evaluations, or compliance activity without establishing that they have legal authority to do so. The longstanding interpretation of FERPA is that any entity seeking to audit or evaluate a program must cite particular federal, state, or local legal authority for this activity, because FERPA itself confers no such authority. DOE proposes to allow such activities – with their consequent access to PII – to be conducted even by entities that can show no legal right to engage in them. Apparently, “I’m from the government and I’m evaluating this program” will be sufficient to access the data.
  • Enforcement – DOE proposes to extend its FERPA enforcement authority beyond “educational agencies or institutions” to include any other recipients of federal funds that may misuse PII. Such entities might include, for example, student-loan lenders. While DOE’s vast expansion of access to PII would greatly increase the potential for misuse of that data, and therefore would indicate the need for broader enforcement authority, the fact remains that Congress is the only entity that is entitled to make this change. FERPA spells out DOE’s enforcement authority, and DOE cannot change this statutory law merely by changing the regulations.

There are two key points to be made regarding these proposed changes:

1) DOE is weakening longstanding student privacy protections by greatly expanding the universe of individuals and entities who have access to PII and by broadening the programs whose data might be subject to this access; and

2) DOE is attempting to evade Congress by pushing through radical policy changes through regulation rather than legislation.

Source:

Data Stewardship: Managing Personally Identifiable Information in Student Education Records.  (2010, Nov.).  IES National Center for Education Statistics.  SLDS Technical Brief.
http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602

To download the pdf, click here.

 

The Pupil Protection Rights Act (PPRA)

The Pupil Protection Rights Act requires parental notification if a study to be conducted in a school includes any information or questions about the student or the student’s family related to the eight identified sensitive topics: political affiliations or beliefs; religious practices, affiliations, or beliefs; mental and psychological problems; sex behavior or attitudes; illegal, anti-social, self-incriminating and demeaning behavior; critical appraisals of family members; legally recognized privileged relationships; or income.

Source:

Data Stewardship: Managing Personally Identifiable Information in Student Education Records.  (2010, Nov.).  IES National Center for Education Statistics.  SLDS Technical Brief.
http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602

To download the pdf, click here.

 

State Longitudinal Data Systems (SLDS)

Recent legislative initiatives provide funds for states to develop and implement statewide longitudinal data systems to support data-driven decisions to improve student learning and to facilitate research to increase student achievement and close achievement gaps. These data systems are intended to enhance the ability of states to manage, analyze, and use education data. The supporting legislation calls for an expansion in the amount of information included in student education records, including linkable student and teacher identification numbers and student and teacher information on student-level enrollment, demographics, program participation, test records, transcript information, college readiness test scores, successful transition to postsecondary programs, enrollment in postsecondary remedial courses, and entries and exits from various levels of the education system. To facilitate the usefulness of this information, the legislation also calls for an alignment between P–12 and postsecondary data systems, which requires linkages between student and teacher records, between preschool and elementary education, and between secondary and postsecondary education and the workforce. These linkages require data sharing across different components of the education system.

Source:

Data Stewardship: Managing Personally Identifiable Information in Student Education Records.  (2010, Nov.).  IES National Center for Education Statistics.  SLDS Technical Brief.
http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602

To download the pdf, click here.

 

A Study of Elementary and Secondary School State Reporting Systems

The Fordham University Law School’s Center on Law and Information Policy’s A Study of Elementary and Secondary School State Reporting Systems finds the privacy of our nation’s school children is at risk. (See news release.)

The Study reports on the results of a survey of all fifty states and finds that state educational databases across the country ignore key privacy protections for the nation’s K-12 children.  The Study finds that large amounts of personally identifiable data and sensitive personal information about children are stored by the state departments of education in electronic warehouses or for the states by third party vendors.   These data warehouses typically lack adequate privacy protections, such as clear access and use restrictions and data retention policies, are often not compliant with the Family Educational Rights and Privacy Act, and leave K-12 children unprotected from data misuse, improper data release, and data breaches.  The Study provides recommendations for best practices and legislative reform to address these privacy problems.

Source:

Center on Law and Information Policy: Children’s Educational Records and Privacy.  Fordham University School of Law.
http://law.fordham.edu/center-on-law-and-information-policy/14769.htm

Related:  Here is a letter from Congressman John Kline to Education Secretary Arne Duncan raising concerns about student privacy and the creation of “a de facto national student database”.