Last week, New York state lawmakers passed legislation to prevent identifiable student data from being uploaded to a centralized national database. The database belongs to a non-profit in the growing education technology or EdTech sector. Their goal was to collect PII, student scores, attendance, and other information and then disseminate it to teachers and administrators through dashboards—think of it as educational KPI monitoring. Parent groups, who led the opposition, were concerned that the data could potentially be viewed by third-parties and others who were not directly authorized.
There’s a larger debate occurring—see our post on data brokers–that goes under the general heading of Big Data Privacy. There’s nothing inherently wrong in collecting student data—school districts are allowed to do this. But the overall scope of data collection by this EdTech startup—millions of records—and recent regulatory changes to the Family Educational Rights and Privacy Act (FERPA) involving data contractors, have brought this tech issue in public education to the fore.
Current Technology Challenges in Education
Prior to this nationwide debate about student privacy, educational institutions were dealing with huge technology challenges. Administrators and teachers typically work with disconnected information systems holding contact information, grades, and test scores, along with non-digital comments scribbled on pads and sticky notes. The renewed focus on testing and assessment—“No Child Left Behind”—has meant that teachers are expected to use the data to target their lessons and ultimately improve student performance.
So it was tempting when educational technology companies introduced solutions, some of which offered the ability to store all student records (grades, PII, achievements, activities, absences, disabilities, learning styles, etc.) in one location, in order to leverage big data analytics for personalized learning. No doubt data-driven education will ultimately improve students’ graduation rates and career prospects.
However, privacy advocates, and especially parents, quickly saw some of the same issues that arise in the for-profit, consumer world—consent, authorized access, and data protection obligations of third-parties.
Third-Parties and PII
Even though this particular nationwide effort to store all public school children’s data in one repository has been effectively halted–eight other states have passed similar student protection laws to New York’s–children today still go online to comment on classwork with other students, complete assignments, and take tests.
Information about student test taking interactions has meaning to educators: date, time, how many attempts the student made or how long the student’s mouse hovered over a question can point to areas the instructor needs to focus on.
With medical or financial data, there are federal laws –HIPAA, GLBA, FCRA—that govern key aspects of data privacy, particularly who can access the data both within and outside the organization while still making allowances for normal data processing.
According to FERPA, only student’s personally identifiable information (PII) are protected—name, address, student ID, and other information that can link back to an individual. But when there is a legitimate educational interest to grant “school officials” –which was expanded in 2009 to include service providers–access to student PII, prior written consent is not required.
As we’ve seen with medical data when HIPAA’s data protection regulations were recently extended to data processing subcontractors, there are legitimate privacy concerns when a service provider has been granted access to PII. In the case of FERPA, the Department of Education established the Privacy Technical Assistance Center (PTAC) to provide some guidance on the data security and privacy responsibilities of these providers, but has offered only limited enforcement in case of violations.
Will this student privacy issue and other security incidents over the last year bring about uniform national rules on data protection?
While we’re pondering that question, there’s still the enormous challenge of defining PII and sensitive data. In the case of schools, online educational services collect large amounts of metadata that may not be considered protected information under FERPA because it’s not conventional PII.
As readers of this blog know, metadata can reveal a lot of information about an individual, and providers can potentially use this information to develop new personalized products and services. That’s why, along with data brokers and consumer data, this EdTech company’s control of what was expected to be 11 million educational records was also controversial.
There’s still more work to do
Share your ideas about privacy rights using hashtag #varonisRX on Twitter.