Integrating technology into schools and classrooms certainly has its benefits, from re-engaging disinterested learners to making learning more personalized and improving learning outcomes through analytics. However, increased technology does bring along headaches. As schools use more and more technology, they also gather more and more personalized data on their students. While this data can prove useful for teachers, parents, and administrators, there are concerns about the data falling into the wrong hands.
With this concern in mind, the National Education Association (NEA) released a policy brief earlier this year outlining best practices for securing student data.
A top concern highlighted by the NEA is that Federal legislation regarding student data has not kept pace with technological advancements.
According to the NEA, the Family Educational Rights and Privacy Act (FERPA) limits the circumstances under which a school, district, or state education agency may disclose personally identifiable information. However FERPA doesn’t require parental notification or consent for disclosure of educational records to contractors, consultants, and others over whom the educational institution exercises control. Meaning, parental notification isn’t needed if the school is sharing educational records with an app company the school has contracted with.
The NEA also discusses the Protection of Pupil Rights Amendment (PPRA), which requires school districts to work with parents to develop policies regarding the collection, use, and disclosure. However, the PPRA does not apply to information collected for the exclusive purpose of developing, evaluating, or providing educational products or services for or to students or educational institutions. Under the PPRA, the school will also be permitted to share student information with app developers or other technology companies.
Moreover, the Children’s Online Privacy Protection Act requires commercial website operators, online services, and technology apps that target children to obtain verifiable parental consent before collecting a child’s personally identifiable information. However, according to the NEA, consent may be provided by a teacher or school where use of the site or service occurs at the direction of the school or teacher, the use is educational, and the data are not used for any commercial purpose beyond education.
The Every Student Succeeds Act maintains protections that were included in No Child Left Behind, and adds specific privacy protections, including a requirement that grant recipients understand their responsibilities under FERPA, and the prohibition against creation of a national database of personally identifiable information. However, it doesn’t address the issues within FERPA or other legislation.
With these legislative issues in mind, the NEA lays out best practices:
- Schools districts should develop, in collaboration with parents and educators, policies related to the collection, use, and safeguarding of student data, and procedures for responding to data breaches, and designate the office or individual responsible for compliance.
- Educational institutions should maintain control of student data and grant access only to those with legitimate educational needs.
- Education institutions should be transparent regarding the types of data being collected, the purpose for which it is being used, and with whom data are shared and for what purpose. Those with access to student data should have clear guidelines and training regarding collection, use, and security procedures.
- Data mining for advertising and marketing purposes should be expressly prohibited.
- Data security procedures and practices should be reviewed regularly