In February, we announced that we joined over 100 organizations, including Apple, Google, the Khan Academy and Microsoft in supporting the Student Privacy Pledge. Then in March, at both the Brainstorm 16.0 Conference and CoSN Annual Conference, student privacy surfaced as a leading topic of discussion.
Privacy in education is a subject that’s certainly on the rise, and as an identity management company, it’s extremely important to us. In this line of business, we tread a fine line, balancing the security issues that are vital to the operation of a school district with the individual rights of the actual classroom users of technology. But what is that line and how does an IT staff know if it’s been crossed?
To answer that question, we’ve developed a two-part series. First we’ll analyze the history of student privacy in the United States, then we’ll assess student privacy implications for IT vendors and schools through the lens of the Student Privacy Pledge.
Part 1: The History of Student Privacy
Student privacy first entered the national conversation in 1974, with the passage of the Family Educational Rights and Privacy Act (FERPA), signed into law by President Ford on August 21. As the Parent Coalition for Student Privacy documents, before FERPA’s passage, schools could release a child’s records to third parties, such as the government or the police, without parental consent, or even without allowing parents access to those records. The law was created to forbid this practice. It required parental consent for the release of any student records to a third party. It also made it possible for parents, or students over the age of 18, to request access to their records and allowed them to make edits to the records to fix any factually incorrect data.
Two significant revisions have been made to FERPA in the last six years, altering its meaning noticeably. And both revisions were made by the Department of Education without approval from Congress.
In 2008, a revision made it possible for schools to share student data with any third party designated as a “school official” without parental consent. School officials were defined as “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”
Another noteworthy historical chapter in student privacy came in 2009, when the Obama administration spearheaded legislation requiring schools receiving stimulus funds to create long-term systems to track student data. These systems would collect information much broader than education data - including family medical history, family income and child services records - to form a complete picture of a student. Called the “Race to the Top,” this federal grant program created the ability to track lives “cradle to the grave”. This would not have been legal under the original FERPA laws.
In 2011, yet another revision to FERPA allowed for the release of student data, without parental consent, to organizations to perform conduct studies or audits on the effectiveness of educational programs. This changed the “school official” definition implemented in 2008 to now be “authorized representatives”, which significantly increased the number of potential people and organizations that could receive student data.
The Student Privacy Pledge
In October 2014, The Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) announced The Student Privacy Pledge, a commitment for K-12 service providers to use student data only for educational purposes. The Pledge outlined 12 promises that supporters agreed to, focused on the collection, maintenance and use of student data. It was widely seen as a proactive step to counter some of the student privacy rights erosion that has occurred since FERPA’s original passage in 1974, even garnering the endorsement of President Obama.
However, the Student Privacy Pledge carries no legally binding terms. In fact, it contradicts much of what Race to the Top set out to do, making it somewhat confusing that President Obama supports both the Student Privacy Pledge and Race to the Top. In reality, it aims to revert back to the spirit of the original FERPA of 1974.
Understanding the history of student privacy in the US makes it easy to see the dichotomy that exists with FERPA, Race to the Top, and the Student Privacy Pledge.
Backers of the current FERPA, along with Race to the Top, strongly back the ability to track student achievement using data. They believe that this tracking will bring insights as to what educational practices work best for various types of students.
Many Student Privacy Pledge backers, like us here at Identity Automation, aren’t necessarily opposed to the rationale of what FERPA/Race to the Top aim to do; however, we are wary of sacrificing the privacy of individual students in order to obtain insights.
Current Student Privacy Issues
Resolving student privacy conflicts is not an easy task for software vendors, schools, parents or lawmakers. There will always be varying opinions on how student privacy should be protected and regulated.
In March, New Jersey blogger and former Star-Ledger writer Bob Braun published a private email from a school official to her superintendent colleagues revealing that large publisher Pearson Education was monitoring social media sites to find students who may be leaking information about tests administered by the company. These tests were developed by a number of states in conjunction with Pearson and intended to measure student preparedness after graduation.
Many parents and educators, including the American Federation of Teachers criticized the company’s monitoring activities. Others argued that the company was simply protecting the integrity of its tests. Pearson, through a statement on their website, said that the monitoring was contractually required as part of its agreement with the states. The fact that states required the monitoring places even more of a gray area over student privacy since states also play an important role in setting education policies, including those related to privacy.
The Pearson incident raises questions about privacy versus marketing and service strategies. Thousands of companies monitor social media for mentions of their company and products. If a student publicly posts something on Twitter and that’s tracked by a company like Pearson, is that an infringement on the student’s privacy? Or is it simply a company implementing modern research and customer service strategies?
Many argue that a tweet is not personal information since it’s shared in a public domain. However, a significant number of parents and educators felt differently about Pearson and wondered if they went further than the information they found publicly on Twitter. “How did they figure out what district the kid who tweeted was in?” Allison White, a parent of a high school student in Port Washington, N.Y., told the New York Times in a telephone interview. “Did they use any of the personal information they had access to in the testing database?”
We may not know the answer to that, but it is clear that the public perceives a different standard for student privacy than for other consumer privacy. As the reach of technology extends deeper into our lives -- and our childrens’ lives -- technology companies and policy makers are discovering that it can be difficult to discern the public’s expectations around privacy. Moreover, we are learning that perceptions of privacy are often more important than legal limits and definitions to a product or program’s success.
In the next post, we’ll explore the implications of this tension for technology vendors, policy makers, and schools themselves.