Student Data Privacy

10/26/2018

The digital revolution is changing the way people learn. Understanding how to interact with the digital tools, networks and social media platforms of the Internet is critical to the 21st century learner. Learning environments—including schools, libraries, museums and community centers—are upgrading technology so young people can access digital tools throughout the day, creating new opportunities to learn any time, any place and at any pace.

Photo of a student working on a laptop computer.Throughout 2014, the Aspen Institute Task Force on Learning and the Internet—a group of 20 innovative and respected minds in technology, public policy, education, business, privacy and safety—studied the ways young people learn today. They found that, for 21st century learning environments to fully take advantage of the opportunities provided by the Internet, they also must resolve serious issues of trust, safety, privacy, literacy and equity of access. Among other recommendations, the task force found that the best approach to establishing trusted online learning environments is to have all stakeholders—including learning professionals, civic officials, local associations, parents, teachers, students and businesses—collaborate in setting local, state and/or national student privacy standards.

Policy Considerations – Student Privacy

As networked learning environments become increasingly prevalent, there is a growing need to assure students, parents, educators and policymakers that information about individual students and their learning is collected, used and stored properly. State policymakers are increasingly recognizing the value of data to provide critical information about individual student and educator performance, as well as information about what is working, what might be improved, and what information is needed to empower parents, educators and others who have a stake in education to help students succeed. They are addressing a variety of issues related to student privacy, recognizing that participation in trusted online learning environments provides a variety of digital skills and competencies that now are basic to classroom performance, workforce readiness and full participation in civic life. State lawmakers are considering the holistic role of data in education from collection, to use, to storage and ultimately deletion of student data. 

Policy Questions to Consider

  • What is the purpose of the state’s privacy policy? Legislation, such as Idaho’s SB 1372 (2014) can express a commitment to education data privacy while acknowledging the educational value of effective data use.
  • Who is responsible for developing and overseeing privacy and security policies? States are selecting state leaders, advisory boards or other government structures to be responsible for ensuring privacy and security. For example, West Virginia’s HB 4316 (2014) requires the state superintendent of schools to appoint a data governance officer as part of the state’s Student Data Accessibility, Transparency and Accountability Act.
  • Which data is included in data governance policies? States are broadening their definitions to include early learning, K-12 and workforce data in their data governance policies.
  • What are privacy requirements for private companies providing digital services to students? California’s SB 1177 (2014) applies to operators of K-12 Internet websites, online services, online applications and mobile applications, whether or not they contract with schools. The legislation clarifies that student data may be used only for school purposes. Providers are prohibited from using, sharing, disclosing or compiling personal information about students for commercial purposes, including advertising and profiling.
  • How are states allowed to handle and store student data? Several states have recently enacted legislation to prevent the altering of student data, such as NY AB 2093 (2017). Other states, including New Hampshire’s HB 1551 (2018), have set guidelines for when student data should be deleted.
  • How much privacy do students have over their own data? Wyoming HB 0009 (2017) creates an expectation of privacy and ownership for student’s written works while attending the University of Wyoming. Florida HB 7026 (2018) allows the state to create a data repository of including student social media data.

State Policy Approaches

States are addressing student privacy through a variety of policies, including creating governance structures to oversee transparency, protecting the privacy of student data, and prohibiting specific uses.

  • California AB 375 (2018), the California Consumer Privacy Act of 2018, establishes restrictions on how companies can use consumer data. The bill gives the state Attorney General more authority to fine companies that violate regulations including educational companies that collect student information. Also broadens the definition of personal data that could limit private efforts to use student data to target advertising. 
  • Connecticut HB 5170 (2018), the Act Concerning Students' Right to Privacy in Their Mobile Electronic Devices, creates a working group to study issues relating to the search and seizure of a student’s personal electronic devices such as cell phones and make subsequent recommendations.  
  • Florida HB 7026 (2018), the Marjory Stoneman Douglas High School Public Safety Act, includes provisions related to mental health reporting, that allow the state to create a data repository including gathering data from student social media pages. 
  • Iowa HF 2354 (2018), Relating to Student Personal Information Protection, places restrictions on third parties that receive student data and prohibits the use of this data for targeted advertisement. The legislation also bans companies from selling or disclosing student information.
  • New Hampshire HB 1551 (2018) establishes a statewide protocol for addressing the retention of student records and individualized education programs documents. The bill allows parents to request that student records be destroyed immediately on or after the student’s 26th birthday. If a parent does not make a request for records to be destroyed, they will automatically be destroyed by the time the student is 30.
  • New York AB 2093 (2017) prohibits school districts or officials from deleting or altering student data including all student files and records.
  • Wyoming HB 0009 (2017) provides that students shall have an expectation of privacy for electronic writings and other electronic communications created by the student, regardless of if the content was written on a device paid for by a University or College.
  • Arizona HB 2088 (2016) requires written informed consent from a parent of a pupil prior to the administration of nonacademic surveys and prohibits student level nontest data from inclusion in longitudinal, student level data unless approved in a public State Board of Education meeting.
  • California AB 2799 (2016) relates to the Student Online Personal Information Protection Act. Prohibits the operator of an Internet Website, online service, online application, or mobile application that is sued for preschool or prekindergarten purposes, was designed and marketed for preschool and prekindergarten purposes to knowingly engage in specified activities with respect to their site, service, or application.
  • Georgia SB 89 (2015), the Student Data Privacy, Accessibility and Transparency Act, requires an inventory of data elements being collected, including a reason for why each is collected; gives parents rights to review their child’s education record and requires schools to provide electronic copies of student records to their parents upon request; requires development of a data security plan for the state data system; requires technology providers working with schools to develop appropriate security procedures and prohibits them from selling personal information about students or using it for targeted advertising; and provides for the Department of Education to designate a Chief Privacy Officer.
  • California SB 1177 (2014), the Student Online Personal Information Protection Act, prohibits an operator of a website, online service, online application or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure.
  • Colorado HB 1294 (2014), the Student Data Privacy Act, requires the State Board of Education to publish an inventory of the individual student data currently in the student data system as required by state and federal education mandates, as well as any student data proposed for inclusion in this system. It prohibits the Department of Education from providing individual student data to other organizations or agencies outside the state except under specified circumstances.
  • Idaho SB 1372 (2014), the Student Data Accessibility, Transparency and Accountability Act of 2014, requires the State Board of Education to create, publish and make publicly available a data inventory that defines individual student data fields included in the student data system. The index must include any individual student data required to be reported by state and federal education mandates; any individual student data proposed for inclusion in the student data system with a statement explaining the reason for inclusion; and any individual student data collected or maintained with no current purpose or reason. The board is required to ensure that any contracts that govern databases, online services, assessments or instructional supports that include student data and are outsourced to private vendors, include express provisions that safeguard privacy and security, contain the restrictions on secondary uses of student data, and provide for data destruction. The act also includes penalties for noncompliance. 
  • New York SB 6356 (2014) prohibits the Department of Education from providing personally identifiable information to service providers, calls for destruction of any data already provided and allows districts to opt out of providing students’ personally identifiable information to any party for inclusion in a data dashboard. It also creates a new position of chief privacy officer, who must make security and privacy policy recommendations and develop procedures for transparency, notification and parent complaints; calls for a parents’ bill of rights for data privacy and security and a data inventory; and lays out guidelines for contracting with service providers.
  • Rhode Island HB 7124 (2014) limits the use of student data and information obtained by cloud computing service providers when providing services to K-12 educational institutions. It also prohibits the use of such data for commercial purposes, including advertising that benefits the service provider.
  • West Virginia HB 4316 (2014) outlines state, district and school responsibilities for data inventory and provides for a data governance officer. It requires the State Board of Education to develop guidelines for school districts, requiring them to notify parents of their right to request student information and allow parents to access data specific to their child’s educational record; ensure security when providing student data to parents; make sure student data is provided only to authorized individuals; and detail the timeframe within which record requests must be provided.
  • Oklahoma HB 1989 (2013), the Student Data Accessibility, Transparency and Accountability Act, requires public reporting of which student data are collected by the state, mandates creation of a statewide student data security plan, and limits the data that can be collected on individual students and how that data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma. It also restricts the state from requesting delinquency records, criminal records, medical and health records, social security numbers and biometric information as part of student data collected from local schools and districts.

Additional Resources

NCSL Resources

Other Resources

  • The Data Quality Campaign supports state policymakers and other key leaders to promote the effective use of data to improve student achievement.
  • The Future of Privacy Forum operates a research center, the FERPA|SHERPA that focuses on education privacy laws at the state and federal level.