PRIVACY + SECURITY BLOG

News, Developments, and Insights

Double check

by Daniel J. Solove

Last week, the White House released its report, Big Data: Seizing Opportunities, Preserving Values. My reaction to it is mixed. The report mentions some concerns about privacy with Big Data and suggests some reforms, but everything is stated so mildly, in a way designed to please everyone. The report is painted in pastels; it finesses the hard issues and leaves specifics for another day. So it is a step forward, which is good, but it is a very small step, like a child on a beach reluctantly dipping a toe into ocean.

The report covers many issues, and in this post, I want to focus on the report’s discussion of education privacy and Big Data. The report notes how Big Data can provide unprecedented insight into how students are learning and what educational techniques are effective. The report states that the “U.S. Department of Education released guidance for online education services in February 2014. This guidance makes clear that schools and districts can enter into agreements with third parties involving student data only so long as requirements under the Family Educational Rights and Privacy Act and Protection of Pupil Rights Amendment are met. . . . Schools and districts can only share protected student information to further legitimate educational interests, and they must retain ‘direct control’ over that information. Even with this new guidance, the question of how best to protect student privacy in a big data world must be an ongoing conversation.”

The report recommends that Congress “modernize the privacy regulatory framework under the Family Educational Rights and Privacy Act and Children’s Online Privacy Protection Act and Children’s Online Privacy Protection Act to ensure two complementary goals: 1) protecting students against their data being shared or used inappropriately, especially when that data is gathered in an educational context, and 2) ensuring that innovation in educational technology, including new approaches and business models, have ample opportunity to flourish.”

I am pleased by this call to reform the Family Educational Rights and Privacy Act (FERPA). In data privacy time, FERPA is an ancient law passed in 1974 when “the Cloud” was just something in the sky and when there were no such things as laptop computers, USB drives, smart phones, iPads, tablets, Webmail, or social media. Mark Zuckerberg wasn’t even an embryo.

FERPA is not getting the job done. It lacks many of the key components that modern privacy regulation have. As a result, school systems are failing to adequately protect the personal data of students, and they are sharing it with many companies, such as cloud service providers, without adequately ensuring that it is protected.

A few years ago, the Obama Administration wanted to promote the collection and use of longitudinal data about students to track their performance over time. Instead of seeking to improve FERPA’s regulatory regime to handle all this data, the approach was to have the Department of Education amend its regulations to make it easier to share student data with third parties.

Thus, it is now a big step forward to see a White House report calling for FERPA reform. It’s about time. But hardly any specifics are mentioned. I know that the goal of the report is to start the ball rolling, but this is a ball that should have been rolling more than a decade ago, and there’s a lot of ground that must be covered. To help give the ball a shove forward, here are some of my recommendations for the most important things in FERPA to be reformed:

1. Governance

FERPA must have governance provisions. By “governance,” I mean requirements for school systems so that they can have the appropriate components of a privacy program. A law is just words on a page unless there is a mechanism to bring it to life.

Schools need a person or people who own the issues of privacy and data security. They need to know how to contract with third party data vendors. They need to know how to assess for data protection risks. They need to provide adequate training to personnel. Without training, even good policies are like trees that fall in the forest when nobody is around to hear them. People need to know and understand what they are supposed to do and not do. Without this, policies are meaningless.

HIPAA and other privacy laws and regulations have governance requirements. This ensures accountability and a data protection infrastructure. In a recent post, I argued that the demise of inBloom stemmed from a lack of adequate data protection infrastructure at K-12 schools. When I compare various industries and how they are handling data protection, K-12 education is lagging far behind – not even in the Middle Ages but way back in the Stone Age. This lack of infrastructure not only threatens privacy, but it also makes it much more difficult to implement new technologies in schools.

2. Meaningful Enforcement

FERPA lacks meaningful enforcement. It lacks a private right of action. Its only sanction is the withdrawal of all federal funds, which is like using a nuclear bomb to kill a cockroach. The sanction has never been imposed in FERPA’s 40-year history.

FERPA needs to provide the Department of Education with a vibrant enforcement toolkit and the ability to issue meaningful sanctions in adequate proportion to the gravity of the violation. The Department of Education needs vastly more enforcement resources and personnel.

I’d love to see a private right of action, but I think that is about as likely as Congress voting itself a pay cut.

State Attorney General enforcement could be a powerful tool. This is something that was added to HIPAA by the HITECH Act. It should be added to FERPA too.

3. Protecting Data Down the Chain

FERPA only provides the Department of Education with the power to enforce against schools. Contrast that to HIPAA, where the Department of Health and Human Services can enforce not only against schools but also against any business associate receiving protected health information. Data stays within HIPAA’s protective bubble even as it progresses down a long chain of subcontractors. A similar enforcement power should exist under FERPA.

4. Contractual Requirements for Data Sharing

HIPAA has a set of required contractual elements before data can be shared. FERPA needs the same, as a recent study found that contracts between schools and cloud service providers lacked adequate privacy protections. According to the White House report, FERPA requires that whenever a school shares student data, it “must retain ‘direct control’ over that information.” But FERPA does a poor job of ensuring that schools remain in control. Mandating specific contractual requirements is a first step toward retaining such control.

5. Narrowing and Clarifying the Meaning of “Legitimate Educational Interests”

The White House report notes that under FERPA, “[s]chools and districts can only share protected student information to further legitimate educational interests.” This is not really the case, as FERPA allows for data to be shared in a litany of circumstances, and the concept of “legitimate educational interests” is quite fuzzy. Nearly anyone or any entity can be designated as a “school official.” Much more work needs to be done to better define what legitimate educational interests are.

6. A Data Security Rule

FERPA needs a security or safeguards rule, something that other privacy laws such as HIPAA and GLBA have. FERPA says hardly anything about data security and provides hardly any guidance about the kinds of measures that are needed to ensure that data is kept secure. These include requiring a data security program, training, keeping software up to date, providing encryption, having data access controls and accountability mechanisms, developing an incident response plan, and so on.

7. Expanded Coverage

FERPA only covers data about currently-enrolled students. But schools have a lot more data than that, including data about alumni, donors, families, applicants, students from other schools, and others. For alumni, FERPA only covers the data the school gathered about them while they were enrolled at the school; a school might have a lot more data about alumni after they graduate such as address, family, occupation, and more. All this data gathered post-graduation isn’t covered by FERPA. It should be.

I’d also like to see FERPA cover all K-12 schools, not just public ones. Because nearly all private universities depend upon federal funding, they are covered by FERPA, but many K-12 private schools are not. They need data protection guidance too.

8. De-Identification and Research Provisions

HIPAA has provisions that address research uses of health data as well as requirements for how to de-identify protected health information so that it can be used in research without some of the restrictions of HIPAA. FERPA needs something similar to enable beneficial research uses of student data while at the same time de-identifying that data to protect student privacy.

Conclusion

Although I am pleased that the White House report recommends modernizing FERPA, on the whole, the report has more rhetoric than specifics. Although the goal of the report wasn’t to recommend a legislative blueprint, we all know the basic takeaway that Big Data presents both benefits and costs. We all know that privacy is very important. It’s time to move past the obligatory nods on the one side to privacy and on the other to innovative data uses. We need to dive into the hard issues. It’s time to do something. It’s time to talk specifics. I hope that my recommendations are a start to that process.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security