The digital revolution is changing the way people learn. Understanding how to interact with the digital tools, networks and social media platforms of the Internet is critical to the 21st century learner. Learning environments—including schools, libraries, museums and community centers—are upgrading technology so young people can access digital tools throughout the day, creating new opportunities to learn any time, any place and at any pace.
Throughout 2014, the Aspen Institute Task Force on Learning and the Internet—a group of 20 innovative and respected minds in technology, public policy, education, business, privacy and safety—studied the ways young people learn today. They found that, for 21st century learning environments to fully take advantage of the opportunities provided by the Internet, they also must resolve serious issues of trust, safety, privacy, literacy and equity of access. Among other recommendations, the task force found that the best approach to establishing trusted online learning environments is to have all stakeholders—including learning professionals, civic officials, local associations, parents, teachers, students and businesses—collaborate in setting local, state and/or national student privacy standards.
Policy Considerations – Student Privacy
As networked learning environments become increasingly prevalent, there is a growing need to assure students, parents, educators and policymakers that information about individual students and their learning is collected, used and stored properly. State policymakers are increasingly recognizing the value of data to provide critical information about individual student and educator performance, as well as information about what is working, what might be improved, and what information is needed to empower parents, educators and others who have a stake in education to help students succeed. They are addressing a variety of issues related to student privacy, recognizing that participation in trusted online learning environments provides a variety of digital skills and competencies that now are basic to classroom performance, workforce readiness and full participation in civic life. State lawmakers are considering the holistic role of data in education from collection, to use, to storage and ultimately deletion of student data.
Policy Questions to Consider
- Who is responsible for developing and overseeing privacy and security policies? States are selecting state leaders, advisory boards or other government structures to be responsible for ensuring privacy and security. For example, West Virginia’s HB 4316 (2014) requires the state superintendent of schools to appoint a data governance officer as part of the state’s Student Data Accessibility, Transparency and Accountability Act.
- Which data is included in data governance policies? States are broadening their definitions to include early learning, K-12 and workforce data in their data governance policies.
- What are privacy requirements for private companies providing digital services to students? California’s SB 1177 (2014) applies to operators of K-12 Internet websites, online services, online applications and mobile applications, whether or not they contract with schools. The legislation clarifies that student data may be used only for school purposes. Providers are prohibited from using, sharing, disclosing or compiling personal information about students for commercial purposes, including advertising and profiling.
- How are states allowed to handle and store student data? Several states have recently enacted legislation to prevent the altering of student data, such as NY AB 2093 (2017). Other states, including New Hampshire’s HB 1551 (2018), have set guidelines for when student data should be deleted.
- How much privacy do students have over their own data? Wyoming HB 0009 (2017) creates an expectation of privacy and ownership for student’s written works while attending the University of Wyoming. Florida HB 7026 (2018) allows the state to create a data repository of including student social media data.
State Policy Approaches
States are addressing student privacy through a variety of policies, including creating governance structures to oversee transparency, protecting the privacy of student data, and prohibiting specific uses.
- Arizona HB 2088 (2016) requires written informed consent from a parent of a pupil prior to the administration of nonacademic surveys and prohibits student level nontest data from inclusion in longitudinal, student level data unless approved in a public State Board of Education meeting.
- California AB 2799 (2016) relates to the Student Online Personal Information Protection Act. Prohibits the operator of an Internet Website, online service, online application, or mobile application that is sued for preschool or prekindergarten purposes, was designed and marketed for preschool and prekindergarten purposes to knowingly engage in specified activities with respect to their site, service, or application.
- Georgia SB 89 (2015), the Student Data Privacy, Accessibility and Transparency Act, requires an inventory of data elements being collected, including a reason for why each is collected; gives parents rights to review their child’s education record and requires schools to provide electronic copies of student records to their parents upon request; requires development of a data security plan for the state data system; requires technology providers working with schools to develop appropriate security procedures and prohibits them from selling personal information about students or using it for targeted advertising; and provides for the Department of Education to designate a Chief Privacy Officer.
- California SB 1177 (2014), the Student Online Personal Information Protection Act, prohibits an operator of a website, online service, online application or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure.
- Colorado HB 1294 (2014), the Student Data Privacy Act, requires the State Board of Education to publish an inventory of the individual student data currently in the student data system as required by state and federal education mandates, as well as any student data proposed for inclusion in this system. It prohibits the Department of Education from providing individual student data to other organizations or agencies outside the state except under specified circumstances.
- Idaho SB 1372 (2014), the Student Data Accessibility, Transparency and Accountability Act of 2014, requires the State Board of Education to create, publish and make publicly available a data inventory that defines individual student data fields included in the student data system. The index must include any individual student data required to be reported by state and federal education mandates; any individual student data proposed for inclusion in the student data system with a statement explaining the reason for inclusion; and any individual student data collected or maintained with no current purpose or reason. The board is required to ensure that any contracts that govern databases, online services, assessments or instructional supports that include student data and are outsourced to private vendors, include express provisions that safeguard privacy and security, contain the restrictions on secondary uses of student data, and provide for data destruction. The act also includes penalties for noncompliance.
- Rhode Island HB 7124 (2014) limits the use of student data and information obtained by cloud computing service providers when providing services to K-12 educational institutions. It also prohibits the use of such data for commercial purposes, including advertising that benefits the service provider.
- West Virginia HB 4316 (2014) outlines state, district and school responsibilities for data inventory and provides for a data governance officer. It requires the State Board of Education to develop guidelines for school districts, requiring them to notify parents of their right to request student information and allow parents to access data specific to their child’s educational record; ensure security when providing student data to parents; make sure student data is provided only to authorized individuals; and detail the timeframe within which record requests must be provided.
- Oklahoma HB 1989 (2013), the Student Data Accessibility, Transparency and Accountability Act, requires public reporting of which student data are collected by the state, mandates creation of a statewide student data security plan, and limits the data that can be collected on individual students and how that data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma. It also restricts the state from requesting delinquency records, criminal records, medical and health records, social security numbers and biometric information as part of student data collected from local schools and districts.
- The Data Quality Campaign supports state policymakers and other key leaders to promote the effective use of data to improve student achievement.
- The Future of Privacy Forum operates a research center, the FERPA|SHERPA that focuses on education privacy laws at the state and federal level.