Education Privacy in Peril

I have been spending a lot of time examining education privacy lately, and there are some very troubling things going on in this field.   At a general level, schools lack much sophistication in how they handle privacy issues.  Other industry sectors that handle sensitive personal data have Chief Privacy Officers and a comprehensive privacy program.  Most schools lack anyone to handle privacy or any kind of privacy program.  I recently started a new company called TeachPrivacy to address these issues and help schools better develop a privacy program.

Another problem with education privacy involves the growing effort by the government to amass data about students.  The Obama Administration is aggressively pushing this information gathering — the development of what is called “longitudinal databases” — to study how students perform over the duration of their education.   This effort, although certainly for laudable goals, carries significant privacy risks.

One component of this effort is the proposed Gainful Employment Rule.  This rule involves the Social Security Administration collecting and providing data about student employment after graduation.   In an essay I wrote for Inside Higher Ed about some of the problems with this rule, I argue:

By collecting and linking more information about a student, the information the government already holds about a student will become more available should an errant government employee desire to misuse this information or should an unauthorized individual gain access to the data as a result of a data breach.

I don’t quarrel with the goals of the Gainful Employment Rule, but it accomplishes its goals without much consideration of the privacy impact of increased data sharing about students.  As I contend:

[A]ny Education Department regulation that seeks to collect and use data about students must be fully transparent. Students and institutions must know what additional information is being collected, who is collecting this data, and exactly how the data is being used.

In another example of the trend toward amassing more student data, the Department of Education (ED) has proposed changes to the Department of Education’s (ED) regulations for the Family Educational Rights and Privacy Act (FERPA).  The draft FERPA regulations are published at 76 Federal Register 19726 (April 8, 2011).  These regulations attempt to reinterpret FERPA to allow for very broad data sharing.

The new regulations would define two previously undefined terms in FERPA in order to expand the sharing of student personal data.  FERPA permits the access of student personal data – without consent – to “authorized representatives” of state or federal “education programs.”  The new definition of “authorized representative” alters the existing interpretation that such entities or officials are not authorized representatives.

The expansion in student information sharing through the expansive definition of “authorized representative” threatens to place sensitive student data in the hands of a very wide array of potential parties.  Educational agencies can designate “representatives” quite liberally, and this threatens to allow student data to be disseminated much more widely.  Indeed, this is ED’s goal – to allow for greater study of student longitudinal data – but it comes at a great cost to privacy.

This increase in data sharing with a wide array of entities exposes student data to significant risks.  Unfortunately, FERPA’s enforcement is quite limited and minimal.  There is no private right of action.  The draconian sanction for a violation – loss of all federal funding – is not really a plausible option.  The result is that FERPA enforcement has no teeth.  It is dangerous to allow such widespread information sharing without adequate enforcement.  Moreover, ED only has power over the schools and educational agencies it funds.  Researchers and other organizations designed as “authorized representatives” aren’t subject to ED sanctions.

Fordham Law School’s Center on Law and Information Policy (CLIP) conducted a study in 2009 and found some troubling results.  Most states failed to adequately protect privacy for their longitudinal databases of K-12 students.:

We reviewed publicly available information from all 50 states and found that privacy protections for the longitudinal databases were lacking in the majority of states. We found that most states collected information in excess of what is needed for the reporting requirements of the No Child Left Behind Act and what appeared needed to evaluate overall school progress. The majority of longitudinal databases that we examined held detailed information about each child in what appeared to be non-anonymous student records. Typically, the information collected included directory, demographic, disciplinary, academic, health, and family information. Some striking examples are that at least 32% of the states warehouse children’s social security numbers, at least 22% of the states record children’s pregnancies, at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records, and almost all states with known programs collect family wealth indicators.

We found that, given the detailed and sensitive nature of the information collected, the databases generally had weak privacy protections. Often the flow of information from the local educational agency to the state department of education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act. 

Fordham Law School, Center on Law and Information Policy,  Children’s Educational Records and Privacy: A Study of Elementary and Secondary School State Reporting Systems (October 2009).

Changes to FERPA should be made legislatively along with a complete reconstruction of FERPA.  FERPA is a law sorely in need of being reformulated.  It is not well-designed to deal the kind of broad information sharing that ED desires.  Legislation that addressed the benefits and privacy risks of such broad information sharing could employ a much wider set of tools to achieve a more thoughtful balance.

You may also like...

6 Responses

  1. Al says:

    Are you arguing that the protections against disclosure are inadequate, or that the information (or some subset thereof) should not be gathered at all absent an explicit cost/benefit analysis on the part of the government?

  2. Daniel Solove says:

    Al — I’m arguing the former — that privacy protections need to be significantly improved. I am not arguing that such information shouldn’t be gathered, though I am concerned about whether it can be gathered and amassed in ways that adequately protect privacy. I have doubts that the government will keep it adequately secure, will not start using it for other purposes down the road, will appropriately limit its disclosure, will provide sufficient transparency about the uses, etc. In a world where the government has a good proven track record to keep data secure, to use it only for limited purposes, and to not allow function creep to continually increase uses over time, I’d be much more sanguine about collection. The problem is that the government has a poor track record with regard to these things.

  3. Dissent says:

    Dan: You’re right on the money as to the security/data protection issues. I’ve been doing my own analyses of available audits in my state and they show an appalling lack of adequate security for student and employee personal and sensitive information. After discussions with my state, the auditor informs me that they have now started conducting more audits, including schools, on this issue.

    Even more troubling was an audit and follow-up of data security issues/protection in the NYC Dept. of Education. Long story short: horrific report in 2004 and the NYC DOE did not address most of the concerns at follow-up a few years later. I will be contacting city auditor to ask them to do another follow-up.

    Outside of my state, I have found extremely little evidence of any audits of school districts to determine whether sensitive student is being adequately protected. I suspect it’s the DOE’s version of “Don’t Ask, Don’t Tell.”

    I do not think the government should be allowed to amass more sensitive data until it demonstrates that it is adequately protecting the data it has already collected.

    I’ll let you know when I write up the results of my own inquiries.

  4. Dan: Great post. CLIP filed comments objecting to the proposed FERPA regulations.
    Many of the provisions are in direct contradiction with the statute itself and with the legislative history of FERPA. We also objected to the extraordinary reach of the data sharing proposed by the Education Department. For example, the proposal would allow test prep companies and the local dog wash training program to receive K-16 educational records (that now include data such as SSN, birthweight of a teenage mother’s baby, family wealth indicators, use of foul language in school …) Seems hard to justify.

    The real problem is that the longitudinal databases require new legislation to address privacy in an effective way.

  5. Bob Gellman says:

    I am glad to see more interest in education privacy. The recent FERPA NRPM is very troublesome. I worked with Pam Dixon at the World Privacy Forum on comments, which are available at:!documentDetail;D=ED-2011-OM-0002-0231.1

    My biggest concern is that this will lead to a cradle to grave database of everyone in an attempt to do a better job of teaching students. The goal is fine, but the methods are not. The risks are much greater than the rewards.

    There are some others paying attention to these issues. Joel Reidenberg’s 2009 study was a monumental job and a real eyeopener. There are a few voices in the educational community, and Chris Calabrese at the ACLU is another voice in the privacy community.

  6. Thank you to commenters 1-5 for sharing your expertise.

    I read most of the comments submitted to the recent FERPA NPRM. Many comments were from parents, stating their desire to control disclosure regarding their children. One person asked when the government was going to ask parents to hand them their children. Unfortunately, most parents remain uninformed about the quantity and specific PII shared by USED with ‘others’.

    I E-mailed USED asking them why they consider “place of birth” non-consensually disclosable via directory information, while at the same time stating you can’t disclose a student’s nationality, ethnicity or race without consent. The answer was they’re not the same. Really? I would imagine people born in Boise, Idaho are Americans.

    Congress needs a wake-up call. Yesterday’s and today’s education news is that Duncan continues to exchange $$ for data aka Race to the Top.

    Education New York comments submitted to FERPA NPRM: