Senate Bill 167 is receiving much debate in Georgia, centered largely on its primary task of pulling the state back off of the Common Core State Standards (CCSS). But also included in the controversial bill is a Part II, the so-called “Student Right to Privacy Act.” The Georgia House Education Committee met yesterday to consider SB167, and heard from more than 60 passionate educators, parents and business leaders. While the focus was on the CCSS provisions, SIIA (see 2:16:50 of the March 5 video) and a chorus of eduction (e.g., at 1:27:25), social welfare and business leaders spoke up against the privacy regulations. None cited a problem that needed fixing, while all raised concern with the unintended consequences of restrictive regulations that undermine necessary decision making by local administrators and school boards.
SIIA agrees with the need to safeguard student privacy and data security. A strong network of laws and business practices now does so. SIIA agrees with those concerned that Senate Bill 167 may inappropriately and unnecessarily inhibit core educational functions necessary to serve Georgia’s students.
Schools and service providers have policies and procedures in place to limit the use student personal information to legitimate educational purposes, and safeguard student privacy. For example, the federal Family Educational Rights and Privacy Act (FERPA) requires that: (1) personal student information shared with service providers be limited to uses otherwise performed by the school’s own employees; (2) the provider be under direct control of the school; and (3) the information can only be used for educational purposes. And FERPA and COPPA require parental consent if the service provider wants to use or disclose the information for its own commercial purposes. Responding to the calls for additional industry self-regulation, SIIA has released Industry Best Practices as another step to ensure safeguarding of student information. This network of laws and practices is safeguarding student privacy and data security.
With regard to Senate Bill 167, the scope, scale, complexity and lack of clarity of the bill’s procedural and technical requirements are significant and challenging to address. The bill creates barriers and disincentives to local school systems to enhance their use of modern technologies and data systems for educational innovation and improvement, just at a time when the state is making continued investments in technology infrastructure and digital learning access. The bill will have a chilling effect.
- While providers are working with schools to help them support the personalization of learning, the very broad restrictions on use of all student information for so-called commercial purposes may interfere with desired educational activities. SIIA does not defend the sale of personal student data, and such sale is already prohibited by federal law. But the bill would inhibit the use of student data to improve product efficacy, and to support recommendation engines and other analytics aimed at addressing the unique needs of each student.
- The bill is inconsistent in the types of student information regulated and includes narrow, one-size-fits all restrictions on the educational use and sharing of student information, whether personally identifiable or not, including duplicative requirements around testing and cloud computing. This will create barriers to use of information appropriate and necessary for educational purposes, including with subcontractors and school directed partners.
- Many breach notification requirements are inconsistent with standard best practices. For example, required notification of all ‘suspected’ breaches could create false-positive user fatigue, diminishing attention to actual breaches. The bill also excludes standard criteria around actual harm such as in the case of encrypted data or inadvertent exposure by educators. And, ironically, the bill would inappropriately require third parties to notify parents of a breach, thus giving them access to personal parental information to which they would/should not otherwise have access.
- The bill puts in place a series of escalating and potentially very large financial penalties for violations of sometimes vague requirements, not distinguishing based upon harm, negligence or intent. There appears no opportunity to first correct the violation, or for appeal. This all will provide a disincentive for outside parties to conduct business in Georgia.
- The prohibition on student biometric data will restrict appropriate and important educational activities, including for: (1) student identity verification for online learning or device security, and (2) embedded voice and visual diagnostics for language learning and reading comprehension. Some of these require personally identifiable information, while many do not. In all cases, broader practices and laws already ensure student privacy and data security.
- Lastly, while these concerns have focused on those directly impacting school service providers, SIIA notes that there are many burdensome requirements on local school systems and institutions.
In short, SIIA is concerned that SB167, while well-intentioned, is overly inclusive and restrictive. Transparency is critical, but one-size-fits-all requirements will detrimentally limit innovation, appropriate local school decisions, and appropriate educational services that benefit Georgia students. For service providers, there are significant risks and costs that may discourage doing business in Georgia.
While many of these issues are now best handled by existing federal law, state agency guidance, and local school boards, SIIA will continue to work with policy makers in Georgia and across the country on any identified needs to further ensure privacy protections for all Georgia students.