Student Privacy at Risk Absent Better Training for All

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

March 24 — As toddlers and teenagers increasingly use Internet-connected devices and applications for school, parents should worry that companies delivering the educational material may also be collecting, without consent and proper safeguards, sensitive information about student performance and health status, lawmakers and industry analysts say.

Third party vendors—such as Google Inc.'s Google Apps for Education—provide schools with access to a suite of tools that allow students to collaborate on school work but also allow teachers and school administrators to collect valuable test score data and track individual student performance.

(Click image to enlarge.)

Student Privacy at Risk Absent Better Training for All


However, the new technology “left parents and students more vulnerable to misuse of student information,” House Education and the Workforce Committee Chairman John Kline (R-Minn.) said at a recent hearing on “Strengthening Education Research and Privacy Protection to Better Serve Students.”

Even though there was a big rush for innovation in student education, “nobody thought very hard about the security and privacy issues,” Jules Polonetsky, chief executive officer of the Future of Privacy Forum in Washington, told Bloomberg BNA. The use of student data applications has outpaced the necessary regulatory landscape to protect the data, Polonetsky said.

To combat the increasing risks, Congress or state legislatures need to enact stricter legislation that would provide enhanced privacy training for school administrators, teachers and parents, and update existing privacy laws that will limit the use of student data by third-party vendors in the digital world, many say.

Student data privacy is a “shared responsibility” between vendors, school districts, school officials and parents, Polonetsky said.

inBloom Collapse

The debate over student data privacy protection gained momentum after the 2014 collapse of inBloom Inc., a non-profit student data repository founded by the Bill & Melinda Gates Foundation and Carnegie Foundation for the Advancement of Teaching.

The non-profit was aimed at offering school districts “a secure technology platform” that combines student data with other services into a single solution for “real-time monitoring of student progress,” according to a statement from inBloom.

To help limit the influence the company would have over the data, inBloom would take “no ownership of student records” nor would they “sell or share confidential student data,” the statement said. The overall goal of inBloom was to provide school districts with “protected data storage space” that the “districts would continue to own, manage and control,” the statement said.

However, even reassuring statements from inBloom wouldn't quell an uprising from concerned parents. The uncertainty of the privacy landscape led to multiple districts dropping inBloom and even resulted in lawsuits—such as a 2013 suit in New York state court—to stop schools from using the service.

The collapse reflected “larger societal issues that any big-data entity—or holder, like schools—needs to think about,” R. Craig Wood, partner and education attorney at McGuireWoods in Charlottesville, Va., told Bloomberg BNA. Since most U.S. students attend public schools and are compelled to attend, they must “provide every data point imaginable” such as “health, conduct, intellectual ability, special needs” among other information, he said.

Parents feel “powerless over the most sensitive data about their child” being handled by outsiders and fight to “keep the data local,” and out of the hands of third party vendors, he added.

At times “school districts were inattentive, perhaps even sloppy, about the use of the data, about the use of data, and parents got angry and pushed back,” Woods said.

Student Data Privacy Legislation

Third party vendors still face strong criticism against the use of student data. How did they ever get access to student data in the first place?

The protection of student records has been a hallmark of the student data privacy debate since the passage of the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232(g), and the FERPA regulations, 34 CFR Part 99. FERPA protects student records that are “maintained by an educational agency or institution.” Under FERPA, parents have the right to access their children's educational data and have some rights to control the release of personal information.

Third-party vendors can gain access to the student's personal information through the “school official exemption,” according to U.S. Department of Education guidance. School officials can provide student's personal information to vendors if they:

  • perform essentially the same function a school official could do;
  • meet criteria in school's notification of FERPA rights;
  • provide direct control of the application to the schools in respect to use and maintenance of education records; and
  • use records for authorized purposes and cannot disclose information to other parties.

    However, “a lot has changed” in student data collection since the passage of FERPA in 1974, Chairman Kline said.

    The fear of the third party vendor controlling student's personal data and creating advertisements directed at students has led to a push in legislation to protect the student from the misuse of information.

    There has been multiple attempts to push student data privacy legislation in Congress. For example, The Student Privacy Protection Act , introduced by Rep. Todd Rokita (R-Ind.), would amend FERPA to “provide clarity and transparency over what information schools can use, collect, and share for educational purposes,” a House Education and the Workforce Committee statement said. The bill would “update the definition of an education record” to include information collected though “classroom technology,” restrict schools from “using a student's education record to market products or services to students,” increase security protocols for “storing and gaining access to student education records” and establish a privacy official at schools that would oversee the use of student information,” the statement said. Even though the bill has gained bipartisan support, the bill hasn't progressed outside of committee.

    There has also been a push in state legislatures for student data privacy bills. In January, the American Civil Liberties Union partnered with 16 states and the District of Columbia to promote legislation to help parents and students take control of education data—in an aptly named “#TakeCTRL” campaign. Lawmakers in the 16 states—Alabama, Alaska, Connecticut, Hawaii, Illinois, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Hampshire, New Mexico, New York, North Carolina, Virginia and West Virginia—and D.C. introduced bills aimed at specific student privacy issues, such as: student social media privacy, student one-to-one device privacy and student personal technology privacy. The ACLU also introduced a model law that would add a heightened level of protection for student data.

    If Congress or the states are unable to pass stricter laws to increase student data protection, who should step up to protect student privacy?

    Burden Sharing

    The answer is a multifaceted approach to student data privacy that flows from the third-party vendor all the way down to the student being cognizant of personal cybersecurity hazards.

    Student app developers play a role on the highest level. They have “to make preventing a breach their highest priority,” Wood said. If the developers “do not have the resources and commitment to protecting the data” from hackers then they shouldn't “be in the business in the first place,” he added.

    Robert Swiggum, deputy superintendent for the Georgia department of education, believes that school districts need to play a crucial role in protecting student data. “School districts control access to data” and control the security of who can access the data, he said in a statement. States need to work with local schools and districts to ensure there is a purpose behind every piece of information, he said.

    Polonetsky echoed the same remarks and agrees that school districts and school administrators need to be more proactive in the protection of student data.

    Dan Solove, professor at George Washington Law School and chief executive officer of TeachPrivacy, a privacy and security training company, told Bloomberg BNA that since “schools are custodians of student data” that “they must exercise great care in protecting that data.”

    One way school districts can help protect student data is to provide more training for the teachers, Polonetsky said. Even though “teachers do not have the time to keep up” with changes in student privacy, they should be given the opportunity to learn “tips and tricks” to combat data privacy issues, he said.

    School districts can bring in privacy professionals to increase privacy education for both teachers and parents, Solove said. The professionals would help school districts in contracting matters with vendors, help inform teachers and parents and provide general privacy education to students, he said.The onus of student privacy doesn't rest of the school, parents also play a role in protecting student data, Solove said. “Parents always have a responsibility,” but they don't always “know enough,” he said.

    Parents must also have the opportunity to interact with school officials to learn more about which information is being collected and shared, Parent Coalition for Student Privacy Co-chair Rachael Strickland said in a statement. Parents have a “false sense of assurance” that the information shared is “low risk,” when in reality it can include health data and criminal records, she said.

    Keeping parents in the loop and learning about student data privacy is the best way to build relationships and trust with school districts, Strickland said.

    According to Solove, “everyone needs more training.”

    “Teachers and school leaders must know how to protect” the data, Rep. Robert C. Scott (D-Va.), said at the House Education and the Workforce Committee hearing. Even though third-party vendors and school administrators “can't compromise on privacy,” they shouldn't limit the advancement of student technology to improve student performance, he added.

    The protection of student data relies on all interested parties. In lieu of congressional action, analysts agree that app developers need to make their security systems stronger, school districts need to protect access to data, school administrators need to provide proper training to parents and parents need to get involved in the protection of their children's data.

    To contact the reporter on this story: Daniel R. Stoller in Washington at

    To contact the editor responsible for this story: Donald G. Aplin at


    Steps to Better Protect Student Privacy

    Dan Solove, professor at George Washington Law School and chief executive officer of TeachPrivacy, a privacy and security training company told Bloomberg BNA that there are some common-sense steps school districts can make to better educate teachers, parents and students about data privacy, such as:


    • hiring a privacy officer in schools to improve contracts with third-party vendors and inform parents and students of privacy issues;
    • adding cybersecurity and privacy classes in K-12 school curriculum and teach students to be safe and responsible online; and
    • increasing the role parents play in student data privacy and provide training to parents who may lack expertise in basic privacy practices.

    Solove's TeachPrivacy educational privacy and FERPA training programs are available at:


    Request Bloomberg Law: Privacy & Data Security