I have been spending a lot of time examining education privacy lately, and there are some very troubling things going on in this field. At a general level, schools lack much sophistication in how they handle privacy issues. Other industry sectors that handle sensitive personal data have Chief Privacy Officers and a comprehensive privacy program. Most schools lack anyone to handle privacy or any kind of privacy program. I recently started a new company called TeachPrivacy to address these issues and help schools better develop a privacy program.
Another problem with education privacy involves the growing effort by the government to amass data about students. The Obama Administration is aggressively pushing this information gathering — the development of what is called “longitudinal databases” — to study how students perform over the duration of their education. This effort, although certainly for laudable goals, carries significant privacy risks.
One component of this effort is the proposed Gainful Employment Rule. This rule involves the Social Security Administration collecting and providing data about student employment after graduation. In an essay I wrote for Inside Higher Ed about some of the problems with this rule, I argue:
By collecting and linking more information about a student, the information the government already holds about a student will become more available should an errant government employee desire to misuse this information or should an unauthorized individual gain access to the data as a result of a data breach.
I don’t quarrel with the goals of the Gainful Employment Rule, but it accomplishes its goals without much consideration of the privacy impact of increased data sharing about students. As I contend:
[A]ny Education Department regulation that seeks to collect and use data about students must be fully transparent. Students and institutions must know what additional information is being collected, who is collecting this data, and exactly how the data is being used.
In another example of the trend toward amassing more student data, the Department of Education (ED) has proposed changes to the Department of Education’s (ED) regulations for the Family Educational Rights and Privacy Act (FERPA). The draft FERPA regulations are published at 76 Federal Register 19726 (April 8, 2011). These regulations attempt to reinterpret FERPA to allow for very broad data sharing.
The new regulations would define two previously undefined terms in FERPA in order to expand the sharing of student personal data. FERPA permits the access of student personal data – without consent – to “authorized representatives” of state or federal “education programs.” The new definition of “authorized representative” alters the existing interpretation that such entities or officials are not authorized representatives.
The expansion in student information sharing through the expansive definition of “authorized representative” threatens to place sensitive student data in the hands of a very wide array of potential parties. Educational agencies can designate “representatives” quite liberally, and this threatens to allow student data to be disseminated much more widely. Indeed, this is ED’s goal – to allow for greater study of student longitudinal data – but it comes at a great cost to privacy.
This increase in data sharing with a wide array of entities exposes student data to significant risks. Unfortunately, FERPA’s enforcement is quite limited and minimal. There is no private right of action. The draconian sanction for a violation – loss of all federal funding – is not really a plausible option. The result is that FERPA enforcement has no teeth. It is dangerous to allow such widespread information sharing without adequate enforcement. Moreover, ED only has power over the schools and educational agencies it funds. Researchers and other organizations designed as “authorized representatives” aren’t subject to ED sanctions.
Fordham Law School’s Center on Law and Information Policy (CLIP) conducted a study in 2009 and found some troubling results. Most states failed to adequately protect privacy for their longitudinal databases of K-12 students.:
We reviewed publicly available information from all 50 states and found that privacy protections for the longitudinal databases were lacking in the majority of states. We found that most states collected information in excess of what is needed for the reporting requirements of the No Child Left Behind Act and what appeared needed to evaluate overall school progress. The majority of longitudinal databases that we examined held detailed information about each child in what appeared to be non-anonymous student records. Typically, the information collected included directory, demographic, disciplinary, academic, health, and family information. Some striking examples are that at least 32% of the states warehouse children’s social security numbers, at least 22% of the states record children’s pregnancies, at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records, and almost all states with known programs collect family wealth indicators.
We found that, given the detailed and sensitive nature of the information collected, the databases generally had weak privacy protections. Often the flow of information from the local educational agency to the state department of education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act.
Changes to FERPA should be made legislatively along with a complete reconstruction of FERPA. FERPA is a law sorely in need of being reformulated. It is not well-designed to deal the kind of broad information sharing that ED desires. Legislation that addressed the benefits and privacy risks of such broad information sharing could employ a much wider set of tools to achieve a more thoughtful balance.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.