The National Center for Education Statistics on Thursday released the Forum Guide to Education Data Privacy, which tells agencies what they should consider when developing privacy programs to protect student data.
Concerns about sharing students’ data include the potential use of data for marketing purposes, the selling of student profiles to vendors, the risk of sensitive data being shared in ways that could negatively affect a student’s future, identity theft, and other inappropriate use of data when it’s not properly protected or deleted when no longer in use.
The forum suggests that when agencies create privacy programs for schools they should consider the legal implications; the relationship among data governance, security, and privacy programs; effective staff development; and the responsibility of various entities in protecting the confidentiality of student data.
- All applicable Federal and state privacy laws
The most significant Federal student privacy law is the Family Educational Rights and Privacy Act, which mandates basic privacy requirements the education agencies must meet and serves as the foundation for states on which to build. FERPA requires schools to give parents the opportunity to review information in a student’s records and request a correction to any false information. FERPA prohibits schools from releasing personally identifiable information to a third party without written consent from a parent.
Other Federal laws that agencies must consider include the Protection of Pupil Rights Amendment, which relates to information collected from student surveys; Individuals with Disabilities in Education Act, which ensures that students with disabilities receive equal treatment; Children’s Online Privacy Protection Act, which protects children under age 13 who use commercial websites, online games, and mobile applications; Health Insurance Portability and Accountability Act, which protects the confidentiality of health care information; and the National School Lunch Act, which governs the disclosure of information about a student’s free or reduced-price lunch status.
Some states have produced their own legislation to strengthen the protection of student data and improve transparency about how the data is used.
- How a school’s data governance, security and privacy interact
Data governance programs outline policies, standard procedures, responsibilities, and controls surrounding data activities at each point in its life cycle. Data security refers to the technical aspects of how data is collected and stored in the information technology infrastructure. Privacy programs are all legal and ethical requirements surrounding sensitive data.
These three aspects address various phases in the information cycle including defining, collecting, storing, using, sharing, and retiring data.
- Staff Training
School staff must be trained accordingly to ensure that student data is protected, stored, and shared properly.
Staff should be trained on topics such as definitions of “personally identifiable information” and “sensitive data,” legal requirements, local privacy policies, directory information policies, appropriate use and sharing of data, authorized processes for managing data requests, protecting student privacy while using online educational services, methods for protecting personally identifiable information in presentations and reports, and data destruction best practices.
- Roles and Responsibilities of Various Entities
Everyone with access to student data has the responsibility to ensure the data is shared according to agency guidelines.
State boards of education can recommend and adopt policies or provide guidelines for data privacy. State education agencies are responsible for protecting data stored in statewide systems and ensure that all legal and ethical requirements are met when data is shared. Local school boards can establish local policies for protecting privacy. Local education agencies are responsible for establishing and supporting data governance, privacy, and security programs that facilitate instructional activities. School staff is responsible for following rules set by its local education agencies and providing feedback.
When taken into consideration, these policies and practices can help agencies develop adequate and useful privacy protection programs for student data.