The safeguarding of student privacy and data security remains on the agenda for many state (and federal) policymakers. SIIA took the opportunity of its invited testimony before the California state legislature to release its new “Policy Guidelines for Building a Student Privacy Trust Framework.”
The SIIA guidelines outline principles and considerations to ensure policies are appropriately targeted to enhance student confidentiality while limiting unintended or unnecessary barriers to school operations or digital learning opportunities. SIIA shared many of these before the California State Assembly hearing (see video starting at 33 minutes) on “Ensuring Student Privacy in the Digital Age,” hosted jointly by the Education and Select Privacy Committees.
Today, new technologies like cloud computing are enhancing school capacity, providing: adaptive and personalized learning, anytime, anywhere data access, enhanced data management functionality, powerful data analytics, and improved security. These tools and techniques allow educators to manage more data in more cost effective and sophisticated ways to inform instruction and enhance school productivity.
While a framework of laws and practices has been highly effective in safeguarding student confidentiality, we recognize the need to continually review policies and improve practices to enhance the trust framework between parents, schools and service providers.
We are pleased that stakeholders are doing just that in response to recent questions and concerns:
- Service providers continuously review and improve data policies, procedures and technologies.
- SIIA has released “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services”.
- Federal agencies have updated FERPA guidance and COPPA regulations.
- School districts are instituting supplemental agreements with their vendors that further specify restrictive data use, security and confidentiality terms.
- School districts and non-profits are developing criteria for the review of apps, websites and cloud-based software, and sharing the criteria and review results.
SIIA is working to inform legislators across the country as they develop and debate new regulation, but we are concerned some of the policy solutions may be ahead of and over-correct the actualized problems. It is important that new legislative requirements provide sufficient local flexibility, are not overly restrictive or impractical so as to discourage and stifle innovation, and are consistent with existing federal protections to avoid regulatory conflicts and stakeholder confusion.
We touched on several of our newly released policy guidelines at the California hearing:
First, new policies should limit the scope to student personally identifiable information as defined under federal law.
Second, new policies should focus on the need to educate, equip, and empower schools and educators to make informed decisions that safeguard student data and serve student learning. This can be accomplished through transparency by schools and service providers, by instituting local and state governance around data use policies, and by building capacity through investment in professional development, data security technology tools, and student digital literacy. These are important alternatives, or at least complements, to policy prohibitions that may not account for unique local and evolving circumstances.
Third, new policies should provide schools and agencies with the flexibility around the use of student information to meet their goals as determined locally within the existing framework of federal protections. SIIA agrees student personal information should not be used for non-educational purposes such as selling data to insurance companies or targeting insurance advertising. SIIA agrees it should be used only for the educational purposes for which it was entrusted. The challenge is translating these principles into statute in a manner future-proofed for the wave of digital learning transformation at home and at school. Use policies should distinguish between inappropriate commercial use of personal data for non-educational purposes and the appropriate actions of a for-profit (or non-profit) school service provider to use that information for educational uses authorized by its customers and federal law, for educational product evaluation, improvement, and development and to drive adaptive and customized learning at school and home.
Fourth, while SIIA agrees with the general practice to delete data when no longer needed for the purpose for which it was collected is the appropriate general practice, policies must differentiate around data type, use and control. For example, deletion decisions are most often under the direct control of the school (not the service provider), while new models provide for parent-consented and owned personal student accounts (and their data, apps and student-created resources). Further, absolute destruction is not appropriate where aggregated, de-identified and other anonymous data is often needed for ongoing educational purposes such as to power software algorithms or where personal information is needed for accountability systems or future transcript services.
Fifth, new policies governing local contract requirements must allow for flexibility between local schools and their service providers. Any state requirements should provide a template identifying what issues should be addressed rather than prescribing the specific terms for how.
SIIA agrees with the need to safeguard student data privacy and security. Further policy protections must be carefully crafted so that privacy protection floors do not inadvertently and unnecessarily lead to educational ceilings. SIIA instead encourages new policies to be focused on transparency, governance and capacity to empower parents and school officials to make sound and safe use of student information that advance student learning.
Mark Schneiderman is Senior Director of Education Policy at SIIA.